Filename: 2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
Status: Analysis complete
IDS: suricata-3.1.1
Ruleset: etpro-all
Runtime: 20.2881188393 seconds
Hash: 76ce6f1a84079aefcf7228fbfc0fc337
Uploaded: 1548410574

Logfiles


suricata-report-2019-01-25-T-10-03-14-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (15576 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
lastcmd:ulimit -c unlimited; /opt/suricata311/bin/suricata -c /opt/suricata311/etc/etpro/suricata311-etpro-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337e8a7bb2412cd73ec1aeed3ba7907c563 -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
elapsedtime:19.397963
stderr:
stdout:
25/1/2019 -- 10:02:54 - <Info> - Configuration node 'rule-files' redefined.
25/1/2019 -- 10:02:54 - <Notice> - This is Suricata version 3.1.1 RELEASE
25/1/2019 -- 10:02:54 - <Info> - CPUs/cores online: 1
25/1/2019 -- 10:02:54 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 16211 after randomization.
25/1/2019 -- 10:02:54 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 16872 after randomization.
25/1/2019 -- 10:02:54 - <Config> - DNS request flood protection level: 500
25/1/2019 -- 10:02:54 - <Config> - DNS per flow memcap (state-memcap): 524288
25/1/2019 -- 10:02:54 - <Config> - DNS global memcap: 16777216
25/1/2019 -- 10:02:54 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/1/2019 -- 10:02:54 - <Config> - preallocated 1000 defrag trackers of size 168
25/1/2019 -- 10:02:54 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/1/2019 -- 10:02:54 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/1/2019 -- 10:02:54 - <Config> - preallocated 1000 hosts of size 136
25/1/2019 -- 10:02:54 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 10:02:54 - <Config> - using magic-file /usr/share/file/magic
25/1/2019 -- 10:02:54 - <Config> - Core dump size is unlimited.
25/1/2019 -- 10:02:54 - <Config> - allocated 4194304 bytes of memory for the flow hash... 65536 buckets of size 64
25/1/2019 -- 10:02:54 - <Config> - preallocated 10000 flows of size 296
25/1/2019 -- 10:02:54 - <Config> - flow memory usage: 7154304 bytes, maximum: 67108864
25/1/2019 -- 10:02:54 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/1/2019 -- 10:02:54 - <Config> - stream "memcap": 33554432
25/1/2019 -- 10:02:54 - <Config> - stream "midstream" session pickups: disabled
25/1/2019 -- 10:02:54 - <Config> - stream "async-oneside": disabled
25/1/2019 -- 10:02:54 - <Config> - stream "checksum-validation": disabled
25/1/2019 -- 10:02:54 - <Config> - stream."inline": disabled
25/1/2019 -- 10:02:54 - <Config> - stream "max-synack-queued": 5
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "memcap": 134217728
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "depth": 0
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "toserver-chunk-size": 2654
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "toclient-chunk-size": 2475
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly.raw: enabled
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 4, prealloc 256
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 16, prealloc 512
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 112, prealloc 512
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 248, prealloc 512
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 512, prealloc 512
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 768, prealloc 1024
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 1448, prealloc 1024
25/1/2019 -- 10:02:54 - <Config> - segment pool: pktsize 65535, prealloc 128
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "chunk-prealloc": 250
25/1/2019 -- 10:02:54 - <Config> - stream.reassembly "zero-copy-size": 128
25/1/2019 -- 10:02:54 - <Config> - allocated 262144 bytes of memory for the ippair hash... 4096 buckets of size 64
25/1/2019 -- 10:02:54 - <Config> - preallocated 1000 ippairs of size 136
25/1/2019 -- 10:02:54 - <Config> - ippair memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 10:02:54 - <Config> - Delayed detect disabled
25/1/2019 -- 10:02:54 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/1/2019 -- 10:02:54 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/1/2019 -- 10:02:54 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/1/2019 -- 10:02:54 - <Config> - IP reputation disabled
25/1/2019 -- 10:02:54 - <Perf> - Registered 114 keyword profiling counters.
25/1/2019 -- 10:02:54 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-ftp.rules
25/1/2019 -- 10:02:54 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-policy.rules
25/1/2019 -- 10:02:55 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-trojan.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-games.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-pop3.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-user_agents.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-activex.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-rpc.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-attack_response.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-icmp.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-scan.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-voip.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-chat.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-icmp_info.rules
25/1/2019 -- 10:02:59 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-info.rules
25/1/2019 -- 10:03:00 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-shellcode.rules
25/1/2019 -- 10:03:00 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-web_client.rules
25/1/2019 -- 10:03:00 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-imap.rules
25/1/2019 -- 10:03:00 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-web_server.rules
25/1/2019 -- 10:03:00 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-current_events.rules
25/1/2019 -- 10:03:03 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-inappropriate.rules
25/1/2019 -- 10:03:03 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-smtp.rules
25/1/2019 -- 10:03:03 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-web_specific_apps.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-deleted.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-malware.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-snmp.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-worm.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-dns.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-misc.rules
25/1/2019 -- 10:03:05 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-sql.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-dos.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-netbios.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-telnet.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-exploit.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-p2p.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-tftp.rules
25/1/2019 -- 10:03:06 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-mobile_malware.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-botcc.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-compromised.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-drop.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-dshield.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-tor.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/ET-ciarmy.rules
25/1/2019 -- 10:03:07 - <Config> - Loading rule file: /opt/suricata311/etc/etpro/local.rules
25/1/2019 -- 10:03:07 - <Info> - 44 rule files processed. 39396 rules successfully loaded, 0 rules failed
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for tcp-packet
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for tcp-stream
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for udp-packet
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for other-ip
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_uri
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_raw_uri
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_header
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_user_agent
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_raw_header
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_method
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for file_data
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_stat_msg
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_stat_code
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_client_body
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_host
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_raw_host
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for http_cookie
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for dns_query
25/1/2019 -- 10:03:08 - <Perf> - using shared mpm ctx' for tls_sni
25/1/2019 -- 10:03:08 - <Info> - 39401 signatures processed. 1190 are IP-only rules, 15658 are inspecting packet payload, 27301 inspect application layer, 0 are decoder event only
25/1/2019 -- 10:03:08 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/1/2019 -- 10:03:08 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/1/2019 -- 10:03:08 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/1/2019 -- 10:03:08 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/1/2019 -- 10:03:08 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/1/2019 -- 10:03:08 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/1/2019 -- 10:03:08 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/1/2019 -- 10:03:10 - <Perf> - Unique rule groups: 104
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/1/2019 -- 10:03:10 - <Perf> - Builtin MPM "other IP packet": 3
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_uri": 15
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_header": 11
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toclient http_header": 7
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_user_agent": 5
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_method": 5
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toclient file_data": 7
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_host": 1
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver http_cookie": 2
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toclient http_cookie": 3
25/1/2019 -- 10:03:10 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/1/2019 -- 10:03:12 - <Perf> - Registered 39401 rule profiling counters.
25/1/2019 -- 10:03:12 - <Info> - Threshold config parsed: 0 rule(s) found
25/1/2019 -- 10:03:12 - <Info> - fast output device (regular) initialized: alert
25/1/2019 -- 10:03:12 - <Info> - eve-log output device (regular) initialized: eve.json
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'alert'
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'http'
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'dns'
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'tls'
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'files'
25/1/2019 -- 10:03:12 - <Config> - enabling 'eve-log' module 'ssh'
25/1/2019 -- 10:03:12 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/1/2019 -- 10:03:12 - <Info> - http-log output device (regular) initialized: http.log
25/1/2019 -- 10:03:12 - <Info> - stats output device (regular) initialized: stats.log
25/1/2019 -- 10:03:12 - <Config> - AutoFP mode using "Hash" flow load balancer
25/1/2019 -- 10:03:12 - <Info> - reading pcap file /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap
25/1/2019 -- 10:03:12 - <Config> - using 1 flow manager threads
25/1/2019 -- 10:03:12 - <Config> - using 1 flow recycler threads
25/1/2019 -- 10:03:12 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
25/1/2019 -- 10:03:12 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
25/1/2019 -- 10:03:12 - <Info> - pcap file end of file reached (pcap err code 0)
25/1/2019 -- 10:03:12 - <Notice> - Signal Received.  Stopping engine.
25/1/2019 -- 10:03:12 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
25/1/2019 -- 10:03:13 - <Info> - time elapsed 0.995s
25/1/2019 -- 10:03:14 - <Perf> - 116 flows processed
25/1/2019 -- 10:03:14 - <Notice> - Pcap-file module read 7797 packets, 9823545 bytes
25/1/2019 -- 10:03:14 - <Perf> - AutoFP - Total flow handler queues - 1
25/1/2019 -- 10:03:14 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 10:03:14 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
25/1/2019 -- 10:03:14 - <Perf> - Dumping profiling data for 39401 rules.
25/1/2019 -- 10:03:14 - <Perf> - Done dumping profiling data.
25/1/2019 -- 10:03:14 - <Perf> - Done dumping keyword profiling data.
25/1/2019 -- 10:03:14 - <Info> - cleaning up signature grouping structure... complete
25/1/2019 -- 10:03:14 - <Perf> - Done dumping profiling data.
returncode:
0errors:
warnings:


packet_stats.log - (10328 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          7622           133830     1692966990    1079642386       8229.0b   96.05
 IPv4      17           219         19437308     1692665225    1287043494        281.9b    3.29
 IPv4     256            84           133830     1680053376     673143165         56.5b    0.66
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          7580            60788       19369478        218998          1.7b   86.60
TMM_FLOWWORKER              IPv4      17           219           114761       12231512        304879         66.8m    3.48
TMM_RECEIVEPCAPFILE         IPv4       6          7578             2544       11826400          8049         61.0m    3.18
TMM_RECEIVEPCAPFILE         IPv4      17           219             2561           4059          2701        591.7k    0.03
TMM_DECODEPCAPFILE          IPv4       6          7578             2656          54346          2863         21.7m    1.13
TMM_DECODEPCAPFILE          IPv4      17           219             2672          43457          3218        704.9k    0.04
TMM_PACKETLOGGER            IPv4       6          7622             2629        9626707          5670         43.2m    2.25
TMM_PACKETLOGGER            IPv4      17           219             2617          15798          3020        661.4k    0.03
TMM_TXLOGGER                IPv4       6          7622             2589         276808          3369         25.7m    1.34
TMM_TXLOGGER                IPv4      17           219             2608        9325212         54788         12.0m    0.63
TMM_FILELOGGER              IPv4       6          7622             2595         178604          3124         23.8m    1.24
TMM_FILELOGGER              IPv4      17           219             2599          24434          2936        643.2k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          7578             2691          84773          3388         25.7m  1.57  
flow                    IPv4      17           219             2818          25984          3926        859.9k  0.05  
stream                  IPv4       6          7580             2678         631318          9633         73.0m  4.47  
app-layer               IPv4      17           219             2748        4064989         24079          5.3m  0.32  
detect                  IPv4       6          7622            44158       19344074        193382          1.5b  90.13 
detect                  IPv4      17           219            97983       12202439        258707         56.7m  3.46  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6           600             2744         606031         16583         10.0m  42.88 
http                    IPv4      17            25             2940          66720         10991        274.8k  1.18  
tls                     IPv4       6          1716             2612         512747          5545          9.5m  41.01 
tls                     IPv4      17           101             2616           3619          2817        284.6k  1.23  
smb                     IPv4       6           753             2621          23504          3675          2.8m  11.93 
dcerpc                  IPv4       6            47             2621          19517          4707        221.3k  0.95  
dcerpc                  IPv4      17            13             2838           2981          2959         38.5k  0.17  
dns                     IPv4      17            24             3365          15240          6277        150.7k  0.65  
Proto detect            IPv4       6           177             2542          73718          6083          1.1m
Proto detect            IPv4      17            97             2735          22172          5004        485.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_ALERTFASTLOG            IPv4       6            48            12269         188561         52142          2.5m   10.36
TMM_ALERTUNIFIED2ALERT      IPv4       6            48            17969         163167         58289          2.8m   11.58
TMM_LOGHTTPLOG              IPv4       6            14            25838          82513         34786        487.0k    2.02
TMM_JSONALERTLOG            IPv4       6            48            33264         492012         78566          3.8m   15.60
TMM_JSONHTTPLOG             IPv4       6            14            59876         239129        112360          1.6m    6.51
TMM_JSONDNSLOG              IPv4      17            22            29192        9311293        510308         11.2m   46.45
TMM_JSONTLSLOG              IPv4       6            11            35283         110117         58319        641.5k    2.65
TMM_JSONFILELOG             IPv4       6            14            53888         154788         83443          1.2m    4.83

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_MPM             IPv4       6          7622             2533        1622312         50946        388.3m  21.81 
PROF_DETECT_MPM             IPv4      17           219             9097         427730         24536          5.4m  0.30  
PROF_DETECT_MPM_PACKET      IPv4       6          2058             3367         511369         35152         72.3m  4.06  
PROF_DETECT_MPM_PACKET      IPv4      17           219             3608         407758         17269          3.8m  0.21  
PROF_DETECT_MPM_PKT_STR     IPv4       6             2             4450           6850          5650         11.3k  0.00  
PROF_DETECT_MPM_STREAM      IPv4       6           830             5680         575667        113299         94.0m  5.28  
PROF_DETECT_MPM_URI         IPv4       6            21             4833          33334         14411        302.6k  0.02  
PROF_DETECT_MPM_HCBD        IPv4       6            21             2661         318765         42057        883.2k  0.05  
PROF_DETECT_MPM_HSBD        IPv4       6           852             2564        1351112        179460        152.9m  8.59  
PROF_DETECT_MPM_HHD         IPv4       6           873             6144         396262         12075         10.5m  0.59  
PROF_DETECT_MPM_HRHD        IPv4       6           873             3384          39619          4651          4.1m  0.23  
PROF_DETECT_MPM_HMD         IPv4       6            21             2890          21867          6838        143.6k  0.01  
PROF_DETECT_MPM_HCD         IPv4       6           873             2823          35594          3359          2.9m  0.16  
PROF_DETECT_MPM_HRUD        IPv4       6            21             3127          24162          6507        136.7k  0.01  
PROF_DETECT_MPM_HSCD        IPv4       6           852             2656          28466          3208          2.7m  0.15  
PROF_DETECT_MPM_HUAD        IPv4       6            21             2783          31801         10473        219.9k  0.01  
UNKNOWN                     IPv4       6            21             2809          30051          7151        150.2k  0.01  
PROF_DETECT_MPM_DNSQUERY    IPv4      17            11             4846          16457         10836        119.2k  0.01  
PROF_DETECT_IPONLY          IPv4       6           135             5628         112866         39596          5.3m  0.30  
PROF_DETECT_IPONLY          IPv4      17            83             3612         434295         43313          3.6m  0.20  
PROF_DETECT_RULES           IPv4       6          7622             2527       11213894         87795        669.2m  37.59 
PROF_DETECT_RULES           IPv4      17           219            23307         634543        111588         24.4m  1.37  
PROF_DETECT_STATEFUL        IPv4       6          7622             2513       10678712         29120        222.0m  12.47 
PROF_DETECT_STATEFUL        IPv4      17           219             2516          81236          4022        881.0k  0.05  
PROF_DETECT_PREFILTER       IPv4       6          7622             2521          78732          2877         21.9m  1.23  
PROF_DETECT_PREFILTER       IPv4      17           219             2569          38413          3189        698.5k  0.04  
PROF_DETECT_NONMPMLIST      IPv4       6          7622             2525          84203          2888         22.0m  1.24  
PROF_DETECT_NONMPMLIST      IPv4      17           219             2533           8093          2893        633.6k  0.04  
PROF_DETECT_ALERT           IPv4       6          7622             2525          52374          2864         21.8m  1.23  
PROF_DETECT_ALERT           IPv4      17           219             2529          15993          2806        614.7k  0.03  
PROF_DETECT_CLEANUP         IPv4       6          7622             2567          41592          2996         22.8m  1.28  
PROF_DETECT_CLEANUP         IPv4      17           219             2577          22746          3129        685.5k  0.04  
PROF_DETECT_GETSGH          IPv4       6          7622             2520          66054          3083         23.5m  1.32  
PROF_DETECT_GETSGH          IPv4      17           219             2524          34381          5660          1.2m  0.07  


suricata-3.1.1-etpro-all-http.log-2019-01-25-T-10-03-14-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (2429 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
06/29/2018-16:54:15.965362 srienterprises.net [**] /lop.bin [**] <useragent unknown> [**] 172.16.1.102:49198 -> 134.119.189.10:80
06/29/2018-16:55:45.908960 apps.identrust.com [**] /roots/dstrootcax3.p7c [**] Microsoft-CryptoAPI/6.1 [**] 172.16.1.102:49203 -> 192.35.177.64:80
06/29/2018-16:55:46.124691 www.download.windowsupdate.com [**] /msdownload/update/v3/static/trustedr/en/authrootstl.cab [**] Microsoft-CryptoAPI/6.1 [**] 172.16.1.102:49204 -> 8.250.199.254:80
06/29/2018-16:57:52.591854 85.143.220.29 [**] /table.png [**] WinHTTP loader/1.0 [**] 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:58:10.966162 85.143.220.29 [**] /toler.png [**] WinHTTP loader/1.0 [**] 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:58:17.704834 188.124.167.132 [**] /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/90 [**] test [**] 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:26.885122 apps.identrust.com [**] /roots/dstrootcax3.p7c [**] Microsoft-CryptoAPI/6.1 [**] 172.16.1.8:61981 -> 192.35.177.64:80
06/29/2018-16:58:31.689491 www.download.windowsupdate.com [**] /msdownload/update/v3/static/trustedr/en/authrootstl.cab [**] Microsoft-CryptoAPI/6.1 [**] 172.16.1.8:61982 -> 8.249.17.254:80
06/29/2018-16:58:32.185632 85.143.220.29 [**] /worming.png [**] <useragent unknown> [**] 172.16.1.102:49528 -> 85.143.220.29:80
06/29/2018-16:58:38.967282 85.143.220.29 [**] /toler.png [**] <useragent unknown> [**] 172.16.1.102:49529 -> 85.143.220.29:80
06/29/2018-17:00:41.499075 188.124.167.132 [**] /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/81/ [**] Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko [**] 172.16.1.102:49530 -> 188.124.167.132:8082
06/29/2018-17:00:42.532776 188.124.167.132 [**] /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/82/ [**] Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko [**] 172.16.1.102:49531 -> 188.124.167.132:8082
06/29/2018-17:00:43.472003 188.124.167.132 [**] /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/81/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko [**] 172.16.1.102:49532 -> 188.124.167.132:8082
06/29/2018-17:00:44.568172 188.124.167.132 [**] /ser0629/NARWHAL-PC_W617601.35B9952F626E69947B9AEE4D9CE9809E/82/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko [**] 172.16.1.102:49533 -> 188.124.167.132:8082


stats.log - (2017 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
------------------------------------------------------------------------------------
Date: 1/25/2019 -- 10:03:14 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 7797
decoder.bytes                              | Total                     | 9823545
decoder.ipv4                               | Total                     | 7797
decoder.ethernet                           | Total                     | 7797
decoder.tcp                                | Total                     | 7578
decoder.udp                                | Total                     | 219
decoder.avg_pkt_size                       | Total                     | 1259
decoder.max_pkt_size                       | Total                     | 24874
tcp.sessions                               | Total                     | 68
tcp.pseudo                                 | Total                     | 42
tcp.syn                                    | Total                     | 76
tcp.synack                                 | Total                     | 62
tcp.rst                                    | Total                     | 46
detect.alert                               | Total                     | 62
detect.mpm_list                            | Total                     | 5
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 5
flow.spare                                 | Total                     | 9997
tcp.memuse                                 | Total                     | 393216
tcp.reassembly_memuse                      | Total                     | 12320544
flow.memuse                                | Total                     | 7156968


eve.json - (52387 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{"timestamp":"2018-06-29T16:54:14.264505+0000","flow_id":457984798,"pcap_cnt":1,"event_type":"dns","src_ip":"172.16.1.102","src_port":62835,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34269,"rrname":"srienterprises.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:54:14.441748+0000","flow_id":457984798,"pcap_cnt":2,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62835,"proto":"UDP","dns":{"type":"answer","id":34269,"rcode":"NOERROR","rrname":"srienterprises.net","rrtype":"A","ttl":10808,"rdata":"134.119.189.10"}}
{"timestamp":"2018-06-29T16:54:14.846104+0000","flow_id":2017246289,"pcap_cnt":10,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2014819,"rev":3,"signature":"ET INFO Packed Executable Download","category":"Misc activity","severity":3}}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":2017246289,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"2018-06-29T16:54:15.055163+0000","flow_id":2017246289,"pcap_cnt":28,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-06-29T16:54:15.895268+0000","flow_id":2017246289,"pcap_cnt":293,"event_type":"alert","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3}}
{"timestamp":"2018-06-29T16:54:15.965362+0000","flow_id":2017246289,"event_type":"http","src_ip":"172.16.1.102","src_port":49198,"dest_ip":"134.119.189.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"srienterprises.net","url":"\/lop.bin","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-06-29T16:54:15.965362+0000","flow_id":2017246289,"event_type":"fileinfo","src_ip":"134.119.189.10","src_port":80,"dest_ip":"172.16.1.102","dest_port":49198,"proto":"TCP","http":{"hostname":"srienterprises.net","url":"\/lop.bin","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":438272},"app_proto":"http","fileinfo":{"filename":"\/lop.bin","state":"CLOSED","stored":false,"size":2480,"tx_id":0}}
{"timestamp":"2018-06-29T16:55:44.545188+0000","flow_id":2510142484,"pcap_cnt":336,"event_type":"dns","src_ip":"172.16.1.102","src_port":57879,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27951,"rrname":"www.myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:44.761096+0000","flow_id":2510142484,"pcap_cnt":337,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":57879,"proto":"UDP","dns":{"type":"answer","id":27951,"rcode":"NOERROR","rrname":"www.myexternalip.com","rrtype":"A","ttl":3599,"rdata":"78.47.139.102"}}
{"timestamp":"2018-06-29T16:55:45.373333+0000","flow_id":2130141102,"pcap_cnt":344,"event_type":"tls","src_ip":"172.16.1.102","src_port":49202,"dest_ip":"78.47.139.102","dest_port":443,"proto":"TCP","tls":{"subject":"CN=myexternalip.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2018-06-29T16:55:45.636793+0000","flow_id":188606663,"pcap_cnt":348,"event_type":"dns","src_ip":"172.16.1.102","src_port":62737,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41713,"rrname":"apps.identrust.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":188606663,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.identrust.com","rrtype":"CNAME","ttl":3248,"rdata":"apps.digsigtrust.com"}}
{"timestamp":"2018-06-29T16:55:45.676523+0000","flow_id":188606663,"pcap_cnt":349,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":62737,"proto":"UDP","dns":{"type":"answer","id":41713,"rcode":"NOERROR","rrname":"apps.digsigtrust.com","rrtype":"A","ttl":267,"rdata":"192.35.177.64"}}
{"timestamp":"2018-06-29T16:55:45.828561+0000","flow_id":3910132323,"pcap_cnt":357,"event_type":"dns","src_ip":"172.16.1.102","src_port":56872,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11618,"rrname":"www.download.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:55:45.908960+0000","flow_id":4209462617,"pcap_cnt":358,"event_type":"http","src_ip":"172.16.1.102","src_port":49203,"dest_ip":"192.35.177.64","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"apps.identrust.com","url":"\/roots\/dstrootcax3.p7c","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/x-pkcs7-mime"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"www.download.windowsupdate.com","rrtype":"CNAME","ttl":2151,"rdata":"2-01-3cf7-0009.cdx.cedexis.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"2-01-3cf7-0009.cdx.cedexis.net","rrtype":"CNAME","ttl":20,"rdata":"fg.download.windowsupdate.com.c.footprint.net"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.250.199.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.17.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.41.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.249.47.254"}}
{"timestamp":"2018-06-29T16:55:45.953283+0000","flow_id":3910132323,"pcap_cnt":359,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":56872,"proto":"UDP","dns":{"type":"answer","id":11618,"rcode":"NOERROR","rrname":"fg.download.windowsupdate.com.c.footprint.net","rrtype":"A","ttl":228,"rdata":"8.253.44.190"}}
{"timestamp":"2018-06-29T16:55:46.124691+0000","flow_id":1375438327,"pcap_cnt":398,"event_type":"http","src_ip":"172.16.1.102","src_port":49204,"dest_ip":"8.250.199.254","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.download.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2018-06-29T16:55:47.644785+0000","flow_id":3382970814,"pcap_cnt":408,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:47.654632+0000","flow_id":3382970814,"pcap_cnt":409,"event_type":"tls","src_ip":"172.16.1.102","src_port":49205,"dest_ip":"185.231.154.104","dest_port":443,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":3382970814,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:47.654634+0000","flow_id":3382970814,"pcap_cnt":410,"event_type":"alert","src_ip":"185.231.154.104","src_port":443,"dest_ip":"172.16.1.102","dest_port":49205,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:49.866558+0000","flow_id":1047638639,"pcap_cnt":433,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:49.874446+0000","flow_id":1047638639,"pcap_cnt":434,"event_type":"tls","src_ip":"172.16.1.102","src_port":49206,"dest_ip":"185.231.154.74","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":1047638639,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:55:49.874448+0000","flow_id":1047638639,"pcap_cnt":435,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49206,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:57:11.468920+0000","flow_id":2944592016,"pcap_cnt":1673,"event_type":"dns","src_ip":"172.16.1.102","src_port":51769,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35922,"rrname":"112.146.166.173.zen.spamhaus.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":2944592016,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"112.146.166.173.zen.spamhaus.org"}}
{"timestamp":"2018-06-29T16:57:11.608878+0000","flow_id":2944592016,"pcap_cnt":1674,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51769,"proto":"UDP","dns":{"type":"answer","id":35922,"rcode":"NXDOMAIN","rrname":"zen.spamhaus.org","rrtype":"SOA","ttl":10}}
{"timestamp":"2018-06-29T16:57:11.609823+0000","flow_id":2708702348,"pcap_cnt":1675,"event_type":"dns","src_ip":"172.16.1.102","src_port":52859,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3374,"rrname":"112.146.166.173.cbl.abuseat.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":2708702348,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"112.146.166.173.cbl.abuseat.org"}}
{"timestamp":"2018-06-29T16:57:11.712832+0000","flow_id":2708702348,"pcap_cnt":1676,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":52859,"proto":"UDP","dns":{"type":"answer","id":3374,"rcode":"NXDOMAIN","rrname":"cbl.abuseat.org","rrtype":"SOA","ttl":600}}
{"timestamp":"2018-06-29T16:57:11.714102+0000","flow_id":64682861,"pcap_cnt":1677,"event_type":"dns","src_ip":"172.16.1.102","src_port":51951,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17156,"rrname":"112.146.166.173.b.barracudacentral.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:11.814538+0000","flow_id":64682861,"pcap_cnt":1678,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":51951,"proto":"UDP","dns":{"type":"answer","id":17156,"rcode":"NXDOMAIN","rrname":"112.146.166.173.b.barracudacentral.org"}}
{"timestamp":"2018-06-29T16:57:11.815549+0000","flow_id":572583304,"pcap_cnt":1679,"event_type":"dns","src_ip":"172.16.1.102","src_port":63401,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8244,"rrname":"112.146.166.173.dnsbl-1.uceprotect.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":572583304,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"112.146.166.173.dnsbl-1.uceprotect.net"}}
{"timestamp":"2018-06-29T16:57:12.030433+0000","flow_id":572583304,"pcap_cnt":1680,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":63401,"proto":"UDP","dns":{"type":"answer","id":8244,"rcode":"NXDOMAIN","rrname":"dnsbl-1.uceprotect.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:12.031244+0000","flow_id":16044895,"pcap_cnt":1681,"event_type":"dns","src_ip":"172.16.1.102","src_port":49783,"dest_ip":"172.16.1.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6030,"rrname":"112.146.166.173.spam.dnsbl.sorbs.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":16044895,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"112.146.166.173.spam.dnsbl.sorbs.net"}}
{"timestamp":"2018-06-29T16:57:12.147070+0000","flow_id":16044895,"pcap_cnt":1682,"event_type":"dns","src_ip":"172.16.1.8","src_port":53,"dest_ip":"172.16.1.102","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6030,"rcode":"NXDOMAIN","rrname":"dnsbl.sorbs.net","rrtype":"SOA","ttl":900}}
{"timestamp":"2018-06-29T16:57:14.249610+0000","flow_id":676571796,"pcap_cnt":1695,"event_type":"alert","src_ip":"185.231.154.74","src_port":447,"dest_ip":"172.16.1.102","dest_port":49207,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-06-29T16:57:14.256976+0000","flow_id":676571796,"pcap_cnt":1696,"event_type":"tls","src_ip":"172.16.1.102","src_por

This file has been truncated. Go here to download in full.


suricata-3.1.1-etpro-all-alert-2019-01-25-T-10-03-14-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (13047 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
06/29/2018-16:54:14.846104  [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.055163  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:54:15.895268  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 134.119.189.10:80 -> 172.16.1.102:49198
06/29/2018-16:55:47.644785  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:47.654634  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:47.654634  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49205
06/29/2018-16:55:49.866558  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:49.874448  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:55:49.874448  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49206
06/29/2018-16:57:14.249610  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:14.257132  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:14.257132  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.102:49207
06/29/2018-16:57:48.578062  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:57:49.233902  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:49.233902  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:57:49.233930  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:49.233991  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.244201  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.244201  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49210
06/29/2018-16:57:49.245153  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:49.245153  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.104:443 -> 172.16.1.102:49209
06/29/2018-16:57:52.597786  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.598642  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49217 -> 172.16.1.8:445
06/29/2018-16:57:52.808676  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:52.809666  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:53.024775  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.029214  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49471 -> 172.16.1.8:445
06/29/2018-16:57:58.038147  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.038909  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49472 -> 172.16.1.8:445
06/29/2018-16:57:58.254295  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49473 -> 172.16.1.8:445
06/29/2018-16:57:58.257272  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.257967  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49474 -> 172.16.1.8:445
06/29/2018-16:57:58.472339  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.473093  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49475 -> 172.16.1.8:445
06/29/2018-16:57:58.691998  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.692883  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:57:58.906277  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.909864  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.923099  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:03.985804  [**] [1:2102471:12] GPL NETBIOS SMB-DS C$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:04.007703  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:08.153177  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49476 -> 172.16.1.8:445
06/29/2018-16:58:09.259694  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49208 -> 85.143.220.29:80
06/29/2018-16:58:09.583608  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49208
06/29/2018-16:58:17.704834  [**] [1:2830243:2] ETPRO TROJAN W32/Trickbot C2 (networkDll module) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:17.704834  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.16.1.102:49482 -> 188.124.167.132:8082
06/29/2018-16:58:26.282309  [**] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.102:49484 -> 172.16.1.8:445
06/29/2018-16:58:27.619909  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:27.619909  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49528
06/29/2018-16:58:33.882975  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:61983
06/29/2018-16:58:37.141911  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141911  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-16:58:37.141911  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 85.143.220.29:80 -> 172.16.1.102:49529
06/29/2018-17:00:41.498798  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:00:41.506509  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:00:41.506509  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62001
06/29/2018-17:01:19.189156  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 45.36.155.244:443 -> 172.16.1.8:62004
06/29/2018-17:01:56.860505  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007
06/29/2018-17:01:56.867424  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007
06/29/2018-17:01:56.867424  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.231.154.74:447 -> 172.16.1.8:62007


keyword_perf.log - (13644 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/25/2019 -- 10:03:14
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        209214          40              2               17161           5230.00         8062.00         5081.00        
  content          169632800       16992           8198            10109853        9983.00         9189.00         10723.00       
  pcre             5438670         1273            189             390091          4272.00         4084.00         4305.00        
  byte_test        9281200         3020            1341            95198           3073.00         3144.00         3016.00        
  byte_jump        4265011         1424            649             36112           2995.00         3004.00         2987.00        
  flow             36442974        8733            8733            10221689        4173.00         4173.00         0.00           
  isdataat         63985           20              6               9268            3199.00         4013.00         2850.00        
  dsize            17682           5               5               3754            3536.00         3536.00         0.00           
  flowbits         13132368        4622            111             36088           2841.00         3995.00         2812.00        
  flags            127191          38              38              19274           3347.00         3347.00         0.00           
  urilen           423562          140             75              3994            3025.00         3082.00         2959.00        
  byte_extract     316054          96              96              20978           3292.00         3292.00         0.00           
  asn1             221921          17              0               52835           13054.00        0.00            13054.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             36442974        8733            8733            10221689        4173.00         4173.00         0.00           
  dsize            17682           5               5               3754            3536.00         3536.00         0.00           
  flowbits         12891126        4578            67              36088           2815.00         3018.00         2812.00        
  flags            127191          38              38              19274           3347.00         3347.00         0.00           
  asn1             221921          17              0               52835           13054.00        0.00            13054.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          71594037        14317           7428            390917          5000.00         5760.00         4181.00        
  pcre             2352034         448             173             390091          5250.00         3828.00         6144.00        
  byte_test        9232931         3005            1331            95198           3072.00         3143.00         3016.00        
  byte_jump        4145590         1386            611             36112           2991.00         2996.00         2987.00        
  isdataat         61081           19              5               9268            3214.00         4235.00         2850.00        
  byte_extract     316054          96              96              20978           3292.00         3292.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          939622          229             61              44542           4103.00         3951.00         4158.00        
  pcre             318219          60              2               19098           5303.00         8434.00         5195.00        
  isdataat         2904            1               1               2904            2904.00         2904.00         0.00           
  urilen           423562          140             75              3994            3025.00         3082.00         2959.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http client body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          514731          92              21              22466           5594.00         5552.00         5607.00        
  pcre             9577            2               2               4813            4788.00         4788.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http server body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          96111525        2244            634             10109853        42830.00        50452.00        39829.00       
  pcre             2598904         742             0               27468           3502.00         0.00            3502.00        
  byte_test        48269           15              10              5161            3217.00         3333.00         2986.00        
  byte_jump        119421          38              38              4947            3142.00         3142.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http headers
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          398066          88              47              72263           4523.00         3824.00         5325.00        
  pcre             121179          16              12              17319           7573.00         6936.00         9484.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http raw headers
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          17792           5               0               3990            3558.00         0.00            3558.00        
  pcre             38757           5               0               13542           7751.00         0.00            7751.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http stat msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          17881           5               0               4021            3576.00         0.00            3576.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22310           7               7               3273            3187.00         3187.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http user-agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6485            2               0               3249            3242.00         0.00            3242.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns query name
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10351           3               0               4435            3450.00         0.00            3450.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         241242          44              44              20717           5482.00         5482.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        209214          40              2               17161           5230.00         8062.00         5081.00        


suricata-3.1.1-etpro-all-perf.txt-2019-01-25-T-10-03-14-01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap.txt - (125375 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/25/2019 -- 10:03:14
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2808234      1        1        3733840      0.69   7        0        3524216     533405.71   0.00        533405.71  
  2        2825567      1        3        662309       0.12   2        0        525856      331154.50   0.00        331154.50  
  3        2829214      1        2        654317       0.12   2        0        520995      327158.50   0.00        327158.50  
  4        2023476      1        5        2746186      0.51   9        0        364274      305131.78   0.00        305131.78  
  5        2025330      1        1        608167       0.11   2        0        312857      304083.50   0.00        304083.50  
  6        2016855      1        2        1354977      0.25   5        0        315077      270995.40   0.00        270995.40  
  7        2829561      1        2        465127       0.09   2        0        238348      232563.50   0.00        232563.50  
  8        2819930      1        2        39775375     7.32   173      0        10395856    229915.46   0.00        229915.46  
  9        2820158      1        2        33404295     6.14   158      0        8862233     211419.59   0.00        211419.59  
  10       2016854      1        3        1016188      0.19   5        0        212773      203237.60   0.00        203237.60  
  11       2019832      1        4        400910       0.07   2        0        200704      200455.00   0.00        200455.00  
  12       2018065      1        2        1342669      0.25   7        0        785964      191809.86   0.00        191809.86  
  13       2829532      1        2        1179739      0.22   7        0        189408      168534.14   0.00        168534.14  
  14       2816510      1        3        1011035      0.19   6        0        240496      168505.83   0.00        168505.83  
  15       2819664      1        2        28702889     5.28   173      0        393002      165912.65   0.00        165912.65  
  16       2820157      1        2        25367732     4.67   158      0        520657      160555.27   0.00        160555.27  
  17       2819940      1        3        926470       0.17   6        0        211281      154411.67   0.00        154411.67  
  18       2825453      1        2        294887       0.05   2        0        162855      147443.50   0.00        147443.50  
  19       2828823      1        3        1544291      0.28   11       0        182286      140390.09   0.00        140390.09  
  20       2020865      1        3        7533890      1.39   59       0        199912      127693.05   0.00        127693.05  
  21       2022713      1        2        245627       0.05   2        0        124044      122813.50   0.00        122813.50  
  22       2822213      1        2        1335106      0.25   11       0        269774      121373.27   0.00        121373.27  
  23       2021816      1        2        240571       0.04   2        0        134310      120285.50   0.00        120285.50  
  24       2021946      1        2        238478       0.04   2        0        128476      119239.00   0.00        119239.00  
  25       2018342      1        2        464892       0.09   4        0        138286      116223.00   0.00        116223.00  
  26       2024227      1        2        231880       0.04   2        0        121965      115940.00   0.00        115940.00  
  27       2024720      1        3        230228       0.04   2        0        122095      115114.00   0.00        115114.00  
  28       2827202      1        3        219135       0.04   2        0        110329      109567.50   0.00        109567.50  
  29       2814978      1        2        1196399      0.22   11       0        278685      108763.55   0.00        108763.55  
  30       2021546      1        2        211736       0.04   2        0        107719      105868.00   0.00        105868.00  
  31       2816053      1        2        210372       0.04   2        0        106762      105186.00   0.00        105186.00  
  32       2809923      1        2        207879       0.04   2        0        104831      103939.50   0.00        103939.50  
  33       2814979      1        2        1139985      0.21   11       0        262486      103635.00   0.00        103635.00  
  34       2022212      1        3        206232       0.04   2        0        104914      103116.00   0.00        103116.00  
  35       2810481      1        4        12608314     2.32   123      0        10131056    102506.62   0.00        102506.62  
  36       2021688      1        2        202058       0.04   2        0        107787      101029.00   0.00        101029.00  
  37       2809168      1        2        504826       0.09   5        0        104347      100965.20   0.00        100965.20  
  38       2019833      1        7        201138       0.04   2        0        111510      100569.00   0.00        100569.00  
  39       2021732      1        2        199960       0.04   2        0        109900      99980.00    0.00        99980.00   
  40       2812272      1        2        197795       0.04   2        0        102269      98897.50    0.00        98897.50   
  41       2812256      1        2        197517       0.04   2        0        109719      98758.50    0.00        98758.50   
  42       2022021      1        2        196742       0.04   2        0        102318      98371.00    0.00        98371.00   
  43       2814035      1        2        187548       0.03   2        0        95706       93774.00    0.00        93774.00   
  44       2021375      1        2        186430       0.03   2        0        93971       93215.00    0.00        93215.00   
  45       2021784      1        2        184626       0.03   2        0        94845       92313.00    0.00        92313.00   
  46       2809855      1        2        184487       0.03   2        0        95189       92243.50    0.00        92243.50   
  47       2815976      1        2        184291       0.03   2        0        93986       92145.50    0.00        92145.50   
  48       2022065      1        2        183945       0.03   2        0        93989       91972.50    0.00        91972.50   
  49       2811051      1        3        183591       0.03   2        0        93840       91795.50    0.00        91795.50   
  50       2808503      1        2        183180       0.03   2        0        94681       91590.00    0.00        91590.00   
  51       2809981      1        3        182902       0.03   2        0        94367       91451.00    0.00        91451.00   
  52       2021411      1        2        182757       0.03   2        0        93775       91378.50    0.00        91378.50   
  53       2022058      1        3        182274       0.03   2        0        94004       91137.00    0.00        91137.00   
  54       2021903      1        2        182226       0.03   2        0        94024       91113.00    0.00        91113.00   
  55       2021895      1        2        180404       0.03   2        0        92796       90202.00    0.00        90202.00   
  56       2018856      1        10       360360       0.07   4        0        91365       90090.00    0.00        90090.00   
  57       2018066      1        2        509258       0.09   6        0        96406       84876.33    0.00        84876.33   
  58       2018060      1        2        423701       0.08   5        0        107214      84740.20    0.00        84740.20   
  59       2816515      1        3        846393       0.16   10       0        94603       84639.30    0.00        84639.30   
  60       2103230      1        4        168544       0.03   2        0        126871      84272.00    0.00        84272.00   
  61       2018062      1        2        335140       0.06   4        0        96362       83785.00    0.00        83785.00   
  62       2021013      1        6        581720       0.11   7        7        105481      83102.86    83102.86    0.00       
  63       2802880      1        3        410052       0.08   5        0        397542      82010.40    0.00        82010.40   
  64       2020772      1        2        243277       0.04   3        0        102800      81092.33    0.00        81092.33   
  65       2018063      1        3        641551       0.12   8        0        88820       80193.88    0.00        80193.88   
  66       2018061      1        2        233941       0.04   3        0        78168       77980.33    0.00        77980.33   
  67       2803657      1        5        1377399      0.25   18       0        203465      76522.17    0.00        76522.17   
  68       2019715      1        2        1277140      0.23   17       0        134793      75125.88    0.00        75125.88   
  69       2802991      1        5        746688       0.14   10       0        187410      74668.80    0.00        74668.80   
  70       2018067      1        3        576662       0.11   8        0        101258      72082.75    0.00        72082.75   
  71       2824801      1        3        143515       0.03   2        0        72067       71757.50    0.00        71757.50   
  72       2803027      1        5        4646425      0.85   65       0        248148      71483.46    0.00        71483.46   
  73       2823263      1        3        347357       0.06   5        0        163344      69471.40    0.00        69471.40   
  74       2018068      1        2        274645       0.05   4        0        97903       68661.25    0.00        68661.25   
  75       2018064      1        2        341765       0.06   5        0        96128       68353.00    0.00        68353.00   
  76       2014819      1        3        341026       0.06   5        1        85594       68205.20    84048.00    64244.50   
  77       2020610      1        3        271904       0.05   4        0        103232      67976.00    0.00        67976.00   
  78       2804906      1        3        933617       0.17   14       0        182815      66686.93    0.00        66686.93   
  79       2824799      1        3        133179       0.02   2        0        68219       66589.50    0.00        66589.50   
  80       2804907      1        3        1217784      0.22   19       0        207649      64093.89    0.00        64093.89   
  81       2021749      1        6        829414       0.15   13       0        214228      63801.08    0.00        63801.08   
  82       2020775      1        2        188929       0.03   3        0        96769       62976.33    0.00        62976.33   
  83       2020767      1        2        307287       0.06   5        0        86933       61457.40    0.00        61457.40   
  84       2022535      1        11       553088       0.10   9        0        152902      61454.22    0.00        61454.22   
  85       2023611      1        3        366552       0.07   6        0        75026       61092.00    0.00        61092.00   
  86       2019602      1        1        366486       0.07   6        0        119343      61081.00    0.00        61081.00   
  87       2801929      1        7        1399055      0.26   23       0        201858      60828.48    0.00        60828.48   
  88       2019716      1        9        242359       0.04   4        0        64096       60589.75    0.00        60589.75   
  89       2801930      1        7        1367081      0.25   23       0        230990      59438.30    0.00        59438.30   
  90       2020606      1        4        354922       0.07   6        0        92402       59153.67    0.00        59153.67   
  91       2804508      1        2        295732       0.05   5        0        89424       59146.40    0.00        59146.40   
  92       2103184      1        4        116672       0.02   2        0        90203       58336.00    0.00        58336.00   
  93       2804927      1        2        2554685      0.47   45       0        383225      56770.78    0.00        56770.78   
  94       2017877      1        3        283221       0.05   5        0        64389       56644.20    0.00        56644.20   
  95       2017836      1        4        56272        0.01   1        0        56272       56272.00    0.00        56272.00   
  96       2810654      1        4        784500       0.14   14       14       78551       56035.71    56035.71    0.00       
  97       2024565      1        3        277611       0.05   5        0        105467      55522.20    0.00        55522.20   
  98       2020771      1        2        276236       0.05   5        0        93115       55247.20    0.00        55247.20   
  99       2020779      1        3        326755       0.06   6        0        81149       54459.17    0.00        54459.17   
  100      2020800      1        2        161743       0.03   3        0        60543       53914.33    0.00        53914.33   
  101      2018052      1        7        53906        0.01   1        0        53906       53906.00    0.00        53906.00   
  102      2020799      1        2        106883       0.02   2        0        61715       53441.50    0.00        53441.50   
  103      2804911      1        3        1223466      0.23   23       0        131478      53194.17    0.00        53194.17   
  104      2020777      1        2        370964       0.07   7        0        85510       52994.86    0.00        52994.86   
  105      2019083      1        2        210191       0.04   4        0        75908       52547.75    0.00        52547.75   
  106      2022627      1        12       471802       0.09   9        0        58992       52422.44    0.00        52422.44   
  107      2821014      1        13       104760       0.02   2        0        62778       52380.00    0.00        52380.00   
  108      2802987      1        5        4031247      0.74   78       0        191796      51682.65    0.00        51682.65   
  109      2018069      1        1        308329       0.06   6        0        66476       51388.17    0.00        51388.17   
  110      2018075      1        3        253626       0.05   5        0        58062       50725.20    0.00        50725.20   
  111      2020607      1        3        100981       0.02   2        0        55852       50490.50    0.00        50490.50   
  112      2022773      1        2        100073       0.02   2        0        54601       50036.50    0.00        50036.50   
  113      2020793      1        2        300140       0.06   6        0        63876       50023.33    0.00        50023.33   
  114      2020614      1        2        249068       0.05   5        0        59292       49813.60    0.00        49813.60   
  115      2018013      1        3        147782       0.03   3        0        58135       49260.67    0.00        49260.67   
  116      2826029      1        3        98155        0.02   2        0        49438       49077.50    0.00        49077.50   
  117      2020778      1        2        293571       0.05   6        0        73217       48928.50    0.00        48928.50   
  118      2020774      1        2        146366       0.03   3        0        55896       48788.67    0.00        48788.67   
  119      2020798      1        2        97525        0.02   2        0        50805       48762.50    0.00        48762.50   
  120      2020788      1        2        145530       0.03   3        0        57501       48510.00    0.00        48510.00   
  121      2018032      1        2        242376       0.04   5        0        66200       48475.20    0.00        48475.20   
  122      2018057      1        4        289653       0.05   6        0        57161       48275.50    0.00        48275.50   
  123      2020776      1        2        239834       0.04   5        0        57769       47966.80    0.00        47966.80   
  124      2020765      1        2        143895       0.03   3        0        54732       47965.00    0.00        47965.00   
  125      2020783      1        3        239372       0.04   5   

This file has been truncated. Go here to download in full.


unified2.alert.1548410592 - (111633 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
4[6d6é¾c†w½
¬fPÀ.[6d6[6d6é
êE
Ü¿$†w½
¬fPÀ.P©˜HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:54:14 GMT
Server: Apache
Last-Modified: Fri, 29 Jun 2018 11:33:20 GMT
Accept-Ranges: bytes
Content-Length: 438272
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$ºšþüzÉþüzÉþüzÉà®ïÉüüzÉà®ùÉêüzÉà®þÉüüzÉà®éÉúüzÉÙ:ÉûüzÉþü{É©üzÉà®ðÉÿüzÉà®ëÉÿüzÉRichþüzÉPEL{6[à	N^‹0`@ীԩdаXŽ@`l.textMN `.rdata¬V`XR@@.data¬Àª@À.rsrc°Ð¬@@U‹ìQ‹E‰Eüƒ}t‹MüÆ‹UüƒÂ‰Uü‹Eƒè‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹E‹H‰Mð‹U‹‹M‹·JT‰UìÇEüë‹EüƒÀ‰Eü‹MìƒÁ(‰Mì‹U‹·H9MüŸ‹UìƒzuJ‹E‹H8‰Môƒ}ô~9jh‹UôR‹Eì‹MðHQÿ$`A‰Eø‹Uì‹Eø‰B‹MôQj‹UøRèû$ƒÄë‰jh‹Eì‹HQ‹Uì‹EðBPÿ$`A‰Eø‹Mì‹QR‹Eì‹MHQ‹UøRèµ$ƒÄ‹Eì‹Mø‰Hé=ÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì ‹E‹‹U‹·PD‰EøÇEüë‹MüƒÁ‰Mü‹UøƒÂ(‰Uø‹E‹·Q9Uü‹Eø‹H$á ÷ÙÉ÷ىMì‹Uø‹B$%@÷ØÀ÷؉Eä‹Mø‹Q$â€÷ÚÒ÷ډUð‹Eø‹H$áth@‹Uø‹BP‹Mø‹QRÿ`Aérÿÿÿ‹EìÁà‹M䍔ÈÀF‹Eð‹‚‰Mè‹Uø‹B$%t‹MèÉ‰Mè‹Uø‹B‰Eàƒ}àu1‹Mø‹Q$ƒâ@t
‹E‹‹Q ‰Uàë‹Eø‹H$á€t‹U‹‹H$‰Màƒ}àvUôR‹EèP‹MàQ‹Uø‹BPÿ(`AéÜþÿÿ‹å]ÃÌÌÌÌU‹ìƒì(‹E‹H‰Mô‹U‹ ‰Eø‹Møƒy†©‹Uø‹Eô‰Eð‹Mðƒ9†’‹Uð‹Eô‰Eì‹MðƒÁ‰MèÇEüë‹UüƒÂ‰Uü‹EèƒÀ‰Eè‹Mð‹QƒêÑê9UüsB‹Eè·Áù‰Mä‹Uè·%ÿ‰Eà‹Mä‰M؃}Øtëë‹UìUà‰U܋E܋M‹U܉
뜋Eð‹MðH‰Mðébÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì ÇEø‹E‹H‰Mô‹U‹€‰Eü‹Müƒy†v‹Uü‹Eô‰Eðë	‹MðƒÁ‰Mðj‹UðRÿ`A…À…L‹Eðƒx„?‹Mð‹UôQRÿ`A‰Eäƒ}äuÇEøé‹E‹HR‹E‹HQÿHaAƒÄ‹U‰B‹EƒxuÇEøéá‹M‹Q‹E‹H‹E䉑‹M‹QƒÂ‹E‰P‹Mðƒ9t‹Uð‹Eô‰Eè‹Mð‹UôQ‰Uìë‹Eð‹MôH‰Mè‹Uð‹EôB‰Eìë‹MèƒÁ‰Mè‹UìƒÂ‰Uì‹Eèƒ8t^‹M苁â€t‹E苁áÿÿQ‹UäRÿ `A‹Mì‰ë!‹Uè‹Eô‰Eà‹MàƒÁQ‹UäRÿ `A‹M쉋Uìƒ:u	ÇEøë눃}øuëé—þÿÿ‹Eø‹å]ÃÌÌÌU‹ìƒì ‹E‰Eø‹Mø·úMZt3À鲋Eø‹MH<‰Mà‹Uà:PEt3Àé”jh ‹Eà‹HPQ‹Uà‹B4Pÿ$`A‰Eôƒ}ôu&jh ‹Mà‹QPRjÿ$`A‰Eôƒ}ôu3ÀéJjjÿ4[6d7×{Ώ!†w½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`AƒÄ‰…l™ÿÿ‹•l™ÿÿ‰•h™ÿÿÇEüo‹…h™ÿÿPMÔÿt`AÇEü¤×ÿÿÿx`Ah ¬CMÔQ•ˆ×ÿÿRÿ¨`AƒÄ‰…d™ÿÿ‹…d™ÿÿ‰…`™ÿÿÇEüp‹`™ÿÿQMÔÿt`AÇEüˆ×ÿÿÿx`Ah¸­CUÔR…l×ÿÿPÿ¨`AƒÄ‰…\™ÿÿ‹\™ÿÿ‰X™ÿÿÇEüq‹•X™ÿÿRMÔÿt`AÇEül×ÿÿÿx`AhP¯CEÔPP×ÿÿQÿ¨`AƒÄ‰…T™ÿÿ‹•T™ÿÿ‰•P™ÿÿÇEür‹…P™ÿÿPMÔÿt`AÇEüP×ÿÿÿx`Ahè°CMÔQ•4×ÿÿRÿ¨`AƒÄ‰…L™ÿÿ‹…L™ÿÿ‰…H™ÿÿÇEüs‹H™ÿÿQMÔÿt`AÇEü4×ÿÿÿx`Ah€²CUÔR…×ÿÿPÿ¨`AƒÄ‰…D™ÿÿ‹D™ÿÿ‰@™ÿÿÇEüt‹•@™ÿÿRMÔÿt`AÇEü×ÿÿÿx`Ah´CEÔPüÖÿÿQÿ¨`AƒÄ‰…<™ÿÿ‹•<™ÿÿ‰•8™ÿÿÇEüu‹…8™ÿÿPMÔÿt`AÇEüüÖÿÿÿx`Ah°µCMÔQ•àÖÿÿRÿ¨`AƒÄ‰…4™ÿÿ‹…4™ÿÿ‰…0™ÿÿÇEüv‹0™ÿÿQMÔÿt`AÇEüàÖÿÿÿx`AhH·CUÔR…ÄÖÿÿPÿ¨`AƒÄ‰…,™ÿÿ‹,™ÿÿ‰(™ÿÿÇEüw‹•(™ÿÿRMÔÿt`AÇEüÄÖÿÿÿx`Ahà¸CEÔP¨ÖÿÿQÿ¨`AƒÄ‰…$™ÿÿ‹•$™ÿÿ‰• ™ÿÿÇEüx‹… ™ÿÿPMÔÿt`AÇEü¨Öÿÿÿx`AhxºCMÔQ•ŒÖÿÿRÿ¨`AƒÄ‰…™ÿÿ‹…™ÿÿ‰…4[6d7×{ņw½
¬fPÀ.[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.P¿¦hßÿÿÿx`Ahø:CUÔR…LßÿÿPÿ¨`AƒÄ‰…œ›ÿÿ‹œ›ÿÿ‰˜›ÿÿÇEü)‹•˜›ÿÿRMÔÿt`AÇEüLßÿÿÿx`Ah<CEÔP0ßÿÿQÿ¨`AƒÄ‰…”›ÿÿ‹•”›ÿÿ‰•›ÿÿÇEü*‹…›ÿÿPMÔÿt`AÇEü0ßÿÿÿx`Ah(>CMÔQ•ßÿÿRÿ¨`AƒÄ‰…Œ›ÿÿ‹…Œ›ÿÿ‰…ˆ›ÿÿÇEü+‹ˆ›ÿÿQMÔÿt`AÇEüßÿÿÿx`AhÀ?CUÔR…øÞÿÿPÿ¨`AƒÄ‰…„›ÿÿ‹„›ÿÿ‰€›ÿÿÇEü,‹•€›ÿÿRMÔÿt`AÇEüøÞÿÿÿx`AhXACEÔPÜÞÿÿQÿ¨`AƒÄ‰…|›ÿÿ‹•|›ÿÿ‰•x›ÿÿÇEü-‹…x›ÿÿPMÔÿt`AÇEüÜÞÿÿÿx`AhðBCMÔQ•ÀÞÿÿRÿ¨`AƒÄ‰…t›ÿÿ‹…t›ÿÿ‰…p›ÿÿÇEü.‹p›ÿÿQMÔÿt`AÇEüÀÞÿÿÿx`AhˆDCUÔR…¤ÞÿÿPÿ¨`AƒÄ‰…l›ÿÿ‹l›ÿÿ‰h›ÿÿÇEü/‹•h›ÿÿRMÔÿt`AÇEü¤Þÿÿÿx`Ah FCEÔPˆÞÿÿQÿ¨`AƒÄ‰…d›ÿÿ‹•d›ÿÿ‰•`›ÿÿÇEü0‹…`›ÿÿPMÔÿt`AÇEüˆÞÿÿÿx`Ah¸GCMÔQ•lÞÿÿRÿ¨`AƒÄ‰…\›ÿÿ‹…\›ÿÿ‰…X›ÿÿÇEü1‹X›ÿÿQMÔÿt`AÇEülÞÿÿÿx`AhPICUÔR…PÞÿÿPÿ¨`AƒÄ‰…T›ÿÿ‹T›ÿÿ‰P›ÿÿÇEü2‹•P›ÿÿRMÔÿt`AÇEüPÞÿÿÿx`AhèJCEÔP4ÞÿÿQÿ¨`AƒÄ‰…L›ÿÿ‹•L›ÿÿ‰•H›ÿÿÇEü3‹…H›ÿÿPMÔÿt`AÇEü4Þÿÿÿx`Ah€LCMÔQ•ÞÿÿRÿ¨`AƒÄ‰…D›ÿÿ‹…D›ÿÿ‰…@›ÿÿÇEü4‹@›ÿÿQMÔÿt`AÇEüÞÿÿÿx`AhNCUÔR…üÝÿÿPÿ¨`AƒÄ‰…<›ÿÿ‹<›ÿÿ‰8›ÿÿÇEü5‹•8›ÿÿRMÔÿt`AÇEüüÝÿÿÿx`Ah°OCEÔPàÝÿÿQÿ¨`AƒÄ‰…4›ÿÿ‹•4›ÿÿ‰•0›ÿÿÇEü6‹…0›ÿÿPMÔÿt`AÇEüàÝÿÿÿx`AhHQCMÔQ•ÄÝÿÿRÿ¨`AƒÄ‰…,›ÿÿ‹…,›ÿÿ‰…(›ÿÿÇEü7‹(›ÿÿQMÔÿt`AÇEüÄÝÿÿÿx`AhàRCUÔR…¨ÝÿÿPÿ¨`AƒÄ‰…$›ÿÿ‹$›ÿÿ‰ ›ÿÿÇEü8‹• ›ÿÿRMÔÿt`AÇEü¨Ýÿÿÿx`AhxTCEÔPŒÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü9‹…›ÿÿPMÔÿt`AÇEüŒÝÿÿÿx`AhVCMÔQ•pÝÿÿRÿ¨`AƒÄ‰…›ÿÿ‹…›ÿÿ‰…›ÿÿÇEü:‹›ÿÿQMÔÿt`AÇEüpÝÿÿÿx`Ah¨WCUÔR…TÝÿÿPÿ¨`AƒÄ‰…›ÿÿ‹›ÿÿ‰›ÿÿÇEü;‹•›ÿÿRMÔÿt`AÇEüTÝÿÿÿx`Ah@YCEÔP8ÝÿÿQÿ¨`AƒÄ‰…›ÿÿ‹•›ÿÿ‰•›ÿÿÇEü<‹…›ÿÿPMÔÿt`AÇEü8Ýÿÿÿx`AhØZCMÔQ•ÝÿÿRÿ¨`AƒÄ‰…üšÿÿ‹…üšÿÿ‰…øšÿÿÇEü=‹øšÿÿQMÔÿt`AÇEüÝÿÿÿx`Ahp\CUÔR…ÝÿÿPÿ¨`AƒÄ‰…ôšÿÿ‹ôšÿÿ‰ðšÿÿÇEü>‹•ðšÿÿRMÔÿt`AÇEüÝÿÿÿx`Ah^CEÔPäÜÿÿQÿ¨`AƒÄ‰…ìšÿÿ‹•ìšÿÿ‰•èšÿÿÇEü?‹…èšÿÿPMÔÿt`AÇEüäÜÿÿÿx`Ah _CMÔQ•ÈÜÿÿRÿ¨`AƒÄ‰…äšÿÿ‹…äšÿÿ‰…àšÿÿÇEü@‹àšÿÿQMÔÿt`AÇEüÈÜÿÿÿx`Ah8aCUÔR…¬ÜÿÿPÿ¨`AƒÄ‰…Üšÿÿ‹Üšÿÿ‰ØšÿÿÇEüA‹•ØšÿÿRMÔÿt`AÇEü¬Üÿÿÿx`AhÐbCEÔPÜÿÿQÿ¨`AƒÄ‰…Ôšÿÿ‹•Ôšÿÿ‰•ÐšÿÿÇEüB‹…КÿÿPMÔÿt`AÇEüÜÿÿÿx`AhhdCMÔQ•tÜÿÿRÿ¨`AƒÄ‰…Ìšÿÿ‹…Ìšÿÿ‰…ÈšÿÿÇEüC‹ÈšÿÿQMÔÿt`AÇEütÜÿÿÿx`AhfCUÔR…XÜÿÿPÿ¨`AƒÄ‰…Äšÿÿ‹Äšÿÿ‰ÀšÿÿÇEüD‹•ÀšÿÿRMÔÿt`AÇEüXÜÿÿÿx`Ah˜gCEÔP<ÜÿÿQÿ¨`AƒÄ‰…¼šÿÿ‹•¼šÿÿ‰•¸šÿÿÇEüE‹…¸šÿÿPMÔÿt`AÇEü<Üÿÿÿx`Ah0iCMÔQ• ÜÿÿRÿ¨`AƒÄ‰…´šÿÿ‹…´šÿÿ‰…°šÿÿÇEüF‹°šÿÿQMÔÿt`AÇEü Üÿÿÿx`AhÈjCUÔR…ÜÿÿPÿ¨`AƒÄ‰…¬šÿÿ‹¬šÿÿ‰¨šÿÿÇEüG‹•¨šÿÿRMÔÿt`AÇEüÜÿÿÿx`Ah`lCEÔPèÛÿÿQÿ¨`AƒÄ‰…¤šÿÿ‹•¤šÿÿ‰• šÿÿÇEüH‹… šÿÿPMÔÿt`AÇEüèÛÿÿÿx`AhømCMÔQ¬[6d7[6d7×{E‚Ä~†w½
¬fPÀ.Pÿñ•ÌÛÿÿRÿ¨`AƒÄ‰…œšÿÿ‹…œšÿÿ‰…˜šÿÿÇEüI‹˜šÿÿQMÔÿt`AÇEüÌÛÿÿÿx`AhoCUÔR…°ÛÿÿPÿ¨`AƒÄ‰…”šÿÿ‹”šÿÿ‰šÿÿÇEüJ‹•šÿÿRMÔÿt`AÇEü°Ûÿÿÿx`Ah(qCEÔP”ÛÿÿQÿ¨`AƒÄ‰…Œšÿÿ‹•Œšÿÿ‰•ˆšÿÿÇEüK‹…ˆšÿÿPMÔÿt`AÇEü”Ûÿÿÿx`AhÀrCMÔQ•xÛÿÿRÿ¨`AƒÄ‰…„šÿÿ‹…„šÿÿ‰…€šÿÿÇEüL‹€šÿÿQMÔÿt`AÇEüxÛÿÿÿx`AhXtCUÔR…\ÛÿÿPÿ¨`AƒÄ‰…|šÿÿ‹|šÿÿ‰xšÿÿÇEüM‹•xšÿÿRMÔÿt`AÇEü\Ûÿÿÿx`AhðuCEÔP@ÛÿÿQÿ¨`AƒÄ‰…tšÿÿ‹•tšÿÿ‰•pšÿÿÇEüN‹…pšÿÿPMÔÿt`AÇEü@Ûÿÿÿx`AhˆwCMÔQ•$ÛÿÿRÿ¨`AƒÄ‰…lšÿÿ‹…lšÿÿ‰…hšÿÿÇEüO‹hšÿÿQMÔÿt`AÇEü$Ûÿÿÿx`Ah yCUÔR…ÛÿÿPÿ¨`AƒÄ‰…dšÿÿ‹dšÿÿ‰`šÿÿÇEüP‹•`šÿÿRMÔÿt`AÇEüÛÿÿÿx`Ah¸zCEÔPìÚÿÿQÿ¨`AƒÄ‰…\šÿÿ‹•\šÿÿ‰•XšÿÿÇEüQ‹…XšÿÿPMÔÿt`AÇEüìÚÿÿÿx`AhP|CMÔQ•ÐÚÿÿRÿ¨`AƒÄ‰…Tšÿÿ‹…Tšÿÿ‰…PšÿÿÇEüR‹PšÿÿQMÔÿt`AÇEüÐÚÿÿÿx`Ahè}CUÔR…´ÚÿÿPÿ¨`AƒÄ‰…Lšÿÿ‹Lšÿÿ‰HšÿÿÇEüS‹•HšÿÿRMÔÿt`AÇEü´Úÿÿÿx`Ah€CEÔP˜ÚÿÿQÿ¨`AƒÄ‰…Dšÿÿ‹•Dšÿÿ‰•@šÿÿÇEüT‹…@šÿÿPMÔÿt`AÇEü˜Úÿÿÿx`AhCMÔQ•|ÚÿÿRÿ¨`AƒÄ‰…<šÿÿ‹…<šÿÿ‰…8šÿÿÇEüU‹8šÿÿQMÔÿt`AÇEü|Úÿÿÿx`Ah°‚CUÔR…`ÚÿÿPÿ¨`AƒÄ‰…4šÿÿ‹4šÿÿ‰0šÿÿÇEüV‹•0šÿÿRMÔÿt`AÇEü`Úÿÿÿx`AhH„CEÔPDÚÿÿQÿ¨`AƒÄ‰…,šÿÿ‹•,šÿÿ‰•(šÿÿÇEüW‹…(šÿÿPMÔÿt`AÇEüDÚÿÿÿx`Ahà…CMÔQ•(ÚÿÿRÿ¨`AƒÄ‰…$šÿÿ‹…$šÿÿ‰… šÿÿÇEüX‹ šÿÿQMÔÿt`AÇEü(Úÿÿÿx`Ahx‡CUÔR…ÚÿÿPÿ¨[6d7[6d7×{
êE
Ü¿$†w½
¬fPÀ.Pú¬`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEüY‹•šÿÿRMÔÿt`AÇEüÚÿÿÿx`Ah‰CEÔPðÙÿÿQÿ¨`AƒÄ‰…šÿÿ‹•šÿÿ‰•šÿÿÇEüZ‹…šÿÿPMÔÿt`AÇEüðÙÿÿÿx`Ah¨ŠCMÔQ•ÔÙÿÿRÿ¨`AƒÄ‰…šÿÿ‹…šÿÿ‰…šÿÿÇEü[‹šÿÿQMÔÿt`AÇEüÔÙÿÿÿx`Ah@ŒCUÔR…¸ÙÿÿPÿ¨`AƒÄ‰…šÿÿ‹šÿÿ‰šÿÿÇEü\‹•šÿÿRMÔÿt`AÇEü¸Ùÿÿÿx`Ah؍CEÔPœÙÿÿQÿ¨`AƒÄ‰…ü™ÿÿ‹•ü™ÿÿ‰•ø™ÿÿÇEü]‹…ø™ÿÿPMÔÿt`AÇEüœÙÿÿÿx`AhpCMÔQ•€ÙÿÿRÿ¨`AƒÄ‰…ô™ÿÿ‹…ô™ÿÿ‰…ð™ÿÿÇEü^‹ð™ÿÿQMÔÿt`AÇEü€Ùÿÿÿx`Ah‘CUÔR…dÙÿÿPÿ¨`AƒÄ‰…ì™ÿÿ‹ì™ÿÿ‰è™ÿÿÇEü_‹•è™ÿÿRMÔÿt`AÇEüdÙÿÿÿx`Ah ’CEÔPHÙÿÿQÿ¨`AƒÄ‰…ä™ÿÿ‹•ä™ÿÿ‰•à™ÿÿÇEü`‹…à™ÿÿPMÔÿt`AÇEüHÙÿÿÿx`Ah8”CMÔQ•,ÙÿÿRÿ¨`AƒÄ‰…Ü™ÿÿ‹…Ü™ÿÿ‰…Ø™ÿÿÇEüa‹Ø™ÿÿQMÔÿt`AÇEü,Ùÿÿÿx`AhЕCUÔR…ÙÿÿPÿ¨`AƒÄ‰…Ô™ÿÿ‹Ô™ÿÿ‰Ð™ÿÿÇEüb‹•Ð™ÿÿRMÔÿt`AÇEüÙÿÿÿx`Ahh—CEÔPôØÿÿQÿ¨`AƒÄ‰…Ì™ÿÿ‹•Ì™ÿÿ‰•È™ÿÿÇEüc‹…È™ÿÿPMÔÿt`AÇEüôØÿÿÿx`Ah™CMÔQ•ØØÿÿRÿ¨`AƒÄ‰…Ä™ÿÿ‹…Ä™ÿÿ‰…À™ÿÿÇEüd‹À™ÿÿQMÔÿt`AÇEüØØÿÿÿx`Ah˜šCUÔR…¼ØÿÿPÿ¨`AƒÄ‰…¼™ÿÿ‹¼™ÿÿ‰¸™ÿÿÇEüe‹•¸™ÿÿRMÔÿt`AÇEü¼Øÿÿÿx`Ah0œCEÔP ØÿÿQÿ¨`AƒÄ‰…´™ÿÿ‹•´™ÿÿ‰•°™ÿÿÇEüf‹…°™ÿÿPMÔÿt`AÇEü Øÿÿÿx`AhȝCMÔQ•„ØÿÿRÿ¨`AƒÄ‰…¬™ÿÿ‹…¬™ÿÿ‰…¨™ÿÿÇEüg‹¨™ÿÿQMÔÿt`AÇEü„Øÿÿÿx`Ah`ŸCUÔR…hØÿÿPÿ¨`AƒÄ‰…¤™ÿÿ‹¤™ÿÿ‰ ™ÿÿÇEüh‹• ™ÿÿRMÔÿt`AÇEühØÿÿÿx`Ahø CEÔPLØÿÿQÿ¨`AƒÄ‰…œ™ÿÿ‹•œ™ÿÿ‰•˜™ÿÿÇEüi‹…˜™ÿÿPMÔÿt`AÇEüLØÿÿÿx`Ah¢CMÔQ•0ØÿÿRÿ¨`AƒÄ‰…”™ÿÿ‹…”™ÿÿ‰…™ÿÿÇEüj‹™ÿÿQMÔÿt`AÇEü0Øÿÿÿx`Ah(¤CUÔR…ØÿÿPÿ¨`AƒÄ‰…Œ™ÿÿ‹Œ™ÿÿ‰ˆ™ÿÿÇEük‹•ˆ™ÿÿRMÔÿt`AÇEüØÿÿÿx`AhÀ¥CEÔPø×ÿÿQÿ¨`AƒÄ‰…„™ÿÿ‹•„™ÿÿ‰•€™ÿÿÇEül‹…€™ÿÿPMÔÿt`AÇEüø×ÿÿÿx`AhX§CMÔQ•Ü×ÿÿRÿ¨`AƒÄ‰…|™ÿÿ‹…|™ÿÿ‰…x™ÿÿÇEüm‹x™ÿÿQMÔÿt`AÇEüÜ×ÿÿÿx`Ahð¨CUÔR…À×ÿÿPÿ¨`AƒÄ‰…t™ÿÿ‹t™ÿÿ‰p™ÿÿÇEün‹•p™ÿÿRMÔÿt`AÇEüÀ×ÿÿÿx`AhˆªCEÔP¤×ÿÿQÿ¨`Aƒ

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1191 bytes) - download
1
2
3
4
5
6
7
8
2019-01-25 10:02:54,198 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-25 10:02:54,902 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-25 10:02:54,902 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-3.1.1-etpro-all
2019-01-25 10:02:54,903 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-25 10:02:54,903 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-25 10:02:54,903 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata311/bin/suricata -c /opt/suricata311/etc/etpro/suricata311-etpro-all.yaml -l /var/www/html/76ce6f1a84079aefcf7228fbfc0fc337e8a7bb2412cd73ec1aeed3ba7907c563 -r /var/pcap/01252019.1002-2018-06-29-Trickbot-infects-client-then-moves-to-DC.pcap -vvv -k none
2019-01-25 10:03:14,303 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-25 10:03:14,304 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 20.1179668903