Filename: 2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.0749061108 seconds
Hash: 774b6697be89a71bef0a9703fba77717
Uploaded: 1548330052

Logfiles


suricata-4.0.0-etpro-all-alert-2019-01-24-T-11-41-14-01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap.txt - (7856 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
01/22/2019-16:20:48.287499  [**] [1:2020657:2] ET TROJAN Possible malicious Office doc hidden in XML file [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.56.147.100:80 -> 192.168.3.101:49207
01/22/2019-16:21:22.300156  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 213.186.33.17:80 -> 192.168.3.101:49214
01/22/2019-16:21:22.300156  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 213.186.33.17:80 -> 192.168.3.101:49214
01/22/2019-16:21:22.300156  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 213.186.33.17:80 -> 192.168.3.101:49214
01/22/2019-16:22:26.788762  [**] [1:2008420:4] ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.101:49218 -> 100.42.20.148:53
01/22/2019-16:22:29.799919  [**] [1:2008420:4] ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.101:49218 -> 100.42.20.148:53
01/22/2019-16:23:42.017177  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49224
01/22/2019-16:23:42.025996  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49224
01/22/2019-16:23:42.025996  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49224
01/22/2019-16:23:57.814648  [**] [1:2821116:2] ETPRO POLICY External IP DNS Lookup wtfismyip [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.3.101:57631 -> 192.168.3.1:53
01/22/2019-16:23:58.316309  [**] [1:2019737:2] ET POLICY IP Check wtfismyip.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.3.101:49225 -> 198.27.74.146:80
01/22/2019-16:23:58.913740  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49226
01/22/2019-16:23:58.922517  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49226
01/22/2019-16:23:58.922517  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49226
01/22/2019-16:24:12.121120  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49229
01/22/2019-16:24:12.128937  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49229
01/22/2019-16:24:12.128937  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 82.202.212.162:443 -> 192.168.3.101:49229
01/22/2019-16:24:20.542527  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49230
01/22/2019-16:24:21.474555  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49231
01/22/2019-16:25:04.457703  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.3.101:49235 -> 24.247.181.125:8082
01/22/2019-16:25:48.915092  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49236
01/22/2019-16:25:48.921189  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49236
01/22/2019-16:25:48.921189  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49236
01/22/2019-16:27:11.222456  [**] [1:2830243:2] ETPRO TROJAN W32/Trickbot C2 (networkDll module) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.101:49238 -> 24.247.181.125:8082
01/22/2019-16:27:11.222456  [**] [1:2100494:12] GPL ATTACK_RESPONSE command completed [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.3.101:49238 -> 24.247.181.125:8082
01/22/2019-16:30:55.305722  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49240
01/22/2019-16:34:17.402313  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49241
01/22/2019-16:37:26.719670  [**] [1:2008420:4] ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.101:49242 -> 100.42.20.148:53
01/22/2019-16:37:40.585714  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49243
01/22/2019-16:37:42.059828  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49244
01/22/2019-16:37:42.067292  [**] [1:2021013:6] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49244
01/22/2019-16:37:42.067292  [**] [1:2810654:4] ETPRO POLICY Possibly Suspicious example.com SSL Cert [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 107.173.104.160:447 -> 192.168.3.101:49244
01/22/2019-16:37:48.355434  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 198.23.252.10:80 -> 192.168.3.101:49245
01/22/2019-16:37:48.355434  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 198.23.252.10:80 -> 192.168.3.101:49245
01/22/2019-16:37:48.355434  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 198.23.252.10:80 -> 192.168.3.101:49245
01/22/2019-16:42:55.783055  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 76.107.90.235:449 -> 192.168.3.101:49246


unified2.alert.1548330072 - (73284 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
4\GBàcÕ1¹8“dÀ¨ePÀ7N\GBà\GBàc2E$¥*¹8“dÀ¨ePÀ7PZDnsVZqmyA1YfUqVunFwf2tBuPqs2P/Hrrd8u8ZUeE+ZwXi9h3U45IvDB9/Psr/3G2
jX9BESsfOuR58GmltSvc2ynwZ1/86crOZxXR2+Svz6ovlSdir6j+RdlzOX6tMt8RrUenQQ0+4ZsB
ueBMSPaHc9l81a+8G4fRRPufzOSm+eDE2puTzSWHNy/zOqaTgsu+C2Y/tpgDgWXGjqXhe3T4vaeV
gwO+I/pHFx6rkQTlwEVNiuUOVUtB7Vp02OC/eJZbwnXHk+6vOP61YYWf0dYubtFUeWDtFC9M/IMk
S8KFYqFNXMLLRQVHcyaWHVP4IP+P0DJ0df8/HctVm3ds3KR5Utp0QZWmz15L75n+9DZJEp+QzyR5
JyLy/UF5ujBXiH4ykC1OVfJ+4xtteZ6cp/a9uORs7sQS/t3b75kBej0+enl38UalxHn/1qkRcLaY
9Uv5MIiB5bPVLYp2rzyT+tr1iCrIDT/5zPd9g2rr/ufLRRGsqo+qoi60hs58YzBfUiT3j3jHsCQ/
n/Vm0c97mmefav5+0tDUY9869XDzplmvrIujqU+9NtsuqOqGI1FwrWX9O15jwhNYqJ1d+Z47vOor
51Y6F4ZXckB9sdo/n/2NyfsugXhmvInLid2uFufuP3M7f22N9xOiU4zJL1wE1oEIXC3gCd8PrBMR
1s+GzW1lVmVcMA/qUWWgwswIztE+EFEMnYeJEEDJDcptAEpuwoIo8jAMcii30VQA54IukZcNBkR2
dg/4WlVjxmAiKLtxHGNFrlsXRAl4K6OxAV+3wRsaTG+iosar7iZVQenNsCGrIgMMNH1GZSWZZ4yM
plZZ43UGeEM4KerxaLysZBzo1ZUSGaY5mgEqhgRHbH1s6Q4Y4CNqvmTIsSWpFW0Cz6qja714Z9wF
PevEY2h/5ApcSh1PZqZk9kLMw5x4lhyIrPLHFgvHnxNBpuqPkbOQ0a/C4VGZzzEXeyXFqYkZ+3pU
aIxJ7n0ysy+swWSEYUZQ4tejCxmycXJf7LUWUVJYYTQTphwDih6UtuV1y6pa1yQHZHfaEU1imkKx
wSFfi8LDlO7kkBB3glw4+8VCUXh5UIpLo48EqmT0ZwjH/QEjVsP7Vxkv1gixjTyTIWtOv1bVgE83
Fk9vG3MJsUxwm+iXXYpfi2/uN3iJCRooFfR1S6HjxscePwYD+alhBci6O21ANoR7YUAAQo9oCJ4a
V69mHM/riuz1cb2KJEqv3DEklvOVX/3m86Fpg1ly4\GC”|Ώ!Õº!À¨ePÀ>j\GC\GC”|NE@ûßÕº!À¨ePÀ>P’gDöBàD„
DxD0DLDDäD°D|DöB˜DŒD‚KCâDÐD¾DxDDTDŒD”D4DÔDDD D$!Dª!DJ"Dl#D¾#DÙCö#D2%D:&DÚ&D®'Dæ'DR(D¾(DÜ(D–)DÒ*Dÿÿÿÿ<YSÓ[!'HëA@A0LëA,DŠ,Dº-DÂ.Dò/D1D>2D’2D¾2DN3DB4DœüB–4D®4D¢5Dö5DœüB”<Cš6DÊ7Dn8Db9Dz9D
:DF;DÌ;DÔ<D&=Dx=D2>D ?DšþBv@D~ADºBDCÂCDDDšDDìDDðDDªED²FDHDÂHDIDID JDXJD`KDæKDºLDZMDúMDPODÿÿÿÿ^’z×[!¢ÒÍø
DA7æÍø¼ODìPDQDœüBh„CHRDSDœüBÌSDüTDVD WDPXDXYD¬YDZD[Dü[D(\D”<C|\D¼\DÄ]DšþB^D¸^DÀ_DÈ`D‚aDØbDàcD6eDðeDgD8ýB²gD8hD@iD¬iD2jDnkD‚KCÚkD”lDmD mD¨nDoDPpD8ýBnpD¦pDqDæqDÔrDÿÿÿÿoÁ}A[!/Ÿ$´ WA€¤$´*tD¦tDætDÚuDövDJwDžwD~xDšyDzDözD{D&{Df{D’{Dæ{D²|D}D”<CJ~D²~DjDr€DDTD(‚Dâ‚D‚ƒDŠ„Dx…D2†DP†D$‡DˆDXwC‰Dö·Cl‰D@ŠDxŠDʊDҋD
ŒD–SC¾(DªŒDȌDêDD’DšþBšD¢‘D’Dd“DÿÿÿÿK|Ž[!h´‚ò\A%t´‚”D”D¶•Dâ•D"–DږD”<Cö—D6˜Dî˜D’™Dú™Dh„C*›D¦›D֜DfD’D{DÌ?C¾j\GC\GC”|NE@ûßÕº!À¨ePÀ>P.jD&žD”<C>žDøžD0ŸD8 Dp DÆ¡DšþBšþB´¢DT£Dr£D”¤D¶¥D¾¦Dú§D©DXªDªD²«Dî¬D­D¤hCà­DήD ¯DCr¯D°Dd°D8±DرD^²Dÿÿÿÿ$3À[!ëÐË4iAxÛË4°²D,³D€³Dè³D´´Dà´DÄbCf{D¬µD¶D¶D·D(¸Dô¸Dä?C ¹DöB¸D(ºDöB»DÔ»DŒ¼D0½D¾DؾD*¿D|¿D„ÀDŒÁDPpDN˜CÈÂDÄDÅD.ÆD„ÇD¼ÇD(ÈDÈÈD4ÉDîÉDŽÊDËDÌDXÍD”ÎDÐÏDØÐDxÑD2ÒDˆÓDBÔDâÔDÐÕDÿÿÿÿ<pӊ[!7U!sAAKU!×D8×DØD€ØD$ÙDÜÙDXÚDÛD´ÛDÜDÀÜDxÝDÞDèÞDÜßDáDØáD|âDpãD„ðCdäD”åDèåD‚KCPæD>çDªçDJèDC éDtêDÊëDPpD¸ìDôíDXªD®îDhïD”C ïDòïDDðDñDPñD¼ñDôñDÈòDT£DôD¤ôD8ýBÂôD|õD¸öDô÷Dÿÿÿÿžæ‹[!Öµ”5D‡A¿”5”øD$ùDúDlúDœûD¸üD\ýD°ýDöBhþDÐþD8ÿDÈÿD”EèEEEœüBHEdEàE¬EETE(EzE‚EpEÆ	EL
E^²DTEvE®EæE†
EšþB&ExE°E6EnEBE¾(D”EhE EEàEE¼EøE8ýB²EEÿÿÿÿՔq[!%²oÌ~AÄoÌtEE\EÄbC°E,EE°E”<CE E°EÌEH E` E!EE€!E`"EÜ"E0#E¶•D$$E%Ež%E
&E`'E4(Eî(E¤ôD**j\GC\GC”|NE@ûßÕº!À¨ePÀ>PôËE|*ENòCÒ+EÚ,Ez-E.E†.EŽ/Eä0E 2E3Ez3E‚4EšþB¤5E6EDID7En8EÀ8EF9E:Eî:Eÿÿÿÿ*½ôD[!ü­I Ù¢A#´I D<EÌ?Cü<EŒ=EÌ?C€>Eü>EP?Eà?E4@E°@Eð@Eô¸DøAECE¤CEHDEÄDEôEEh„C$GE<GEÌGEHE^HEšIEN˜CÒIEðIE(JEšþBJKEÐKE¤LEìDDàME2NE„NEŒOEÞOEþâC4QEÔQEtRE°SEPTE>UE,VE‚KCæVET£DWE&XEHYE6ZEÿÿÿÿ+2K¡[!Ù9¥Ñ©AVM¥ÑX[E`\Eô¸DT]Eø]E8^EÈ^El_E`E<`EaE$GE$bEh„CÈbEDcEtdEÈdEXeE„eEfEgE8hETiEšþB¦iEzjEÌjE†kEŽlEHmEšmEšþBðnEFpENqEîqE&rEvEúrEšsE:tErtE×CÙCªtE²uEÙCºvEöwE2yEÒIE zEv{E0|EÿÿÿÿH®[!6³c¼A†´c†}E*~Eö~EÂE¢€E˜<CҁEv‚E¶‚EZƒE†ƒEîƒEj„E҄E…EޅEh„C҆EƇEBˆEfDæˆEî‰EºŠEdC؊EƋEèŒEˆEŽEzŽEhEºEŽE.‘EIDj’Er“E‚KCz”Eö·CЕEŠ–E*—E|—EΗEˆ˜EvE™EPpDdšEl›EZœEbEšþBÿÿÿÿYç(õ[!8ÃIÀA?ÈI„žEìžETŸE4 EP¡EX¢E8£EP£E|£E¼£EL¤E@¥Eä¥E°¦E´ÍC§E¬¨E´©E0ªE˜ªEŒ«E„ðC¬Eè¬E­E®EID¯EIDЯE°E°E±EP²EfÝC¼²E³EæVEšþBrtE”³^\GC\GC”|BE4ýëÕº!À¨ePÀ>PÔ«Eœ´EŠµE"4Cx¶E·Ež·EÀ¸E`¹EœºE¤»Eà¼E€½ET¾E\¿Eÿÿÿÿü{Û[!˜±™6ÅAšÅ™6È¿EXÀE¬ÀEŒÁEXÂEüÂEÈÃElÄEf{DˆÅEÜÅEøÆEøcCÄÇE|ÈEh„C4ÉE(ÊE¤ÊEËE”<C´ÍC°ËEðËEÍENÎEÏE^ÐEþÐEìÑE$ÒEN˜CªÒEJÓE‚ÓE<ÔEDÕEšÖET×EÀ×EÈØET£DÚE¾ÚExÛEfÜEÒÜEðIEÞEâÞEÐßE"àE^áEfâE:ãEÿÿÿÿÝ9ÇS[!Ž…–…ÙA•–…\äEœäEöB”<CåE4æEØæE,çE\èExéEàéE\êEŒëEìEh„CðõB¬ìE íEDîEœüB\îEïE0ðEÀðEñE²ñEšþBlòE@óE.ôEèôEÖõEÞöE4øE"ùE^úELûE¸ûErüEÞüEÌýEþEÿEàÿE€Fn4\GC”|ÅÕº!À¨ePÀ>j\GC\GC”|NE@ûßÕº!À¨ePÀ>P’gDöBàD„
DxD0DLDDäD°D|DöB˜DŒD‚KCâDÐD¾DxDDTDŒD”D4DÔDDD D$!Dª!DJ"Dl#D¾#DÙCö#D2%D:&DÚ&D®'Dæ'DR(D¾(DÜ(D–)DÒ*Dÿÿÿÿ<YSÓ[!'HëA@A0LëA,DŠ,Dº-DÂ.Dò/D1D>2D’2D¾2DN3DB4DœüB–4D®4D¢5Dö5DœüB”<Cš6DÊ7Dn8Db9Dz9D
:DF;DÌ;DÔ<D&=Dx=D2>D ?DšþBv@D~ADºBDCÂCDDDšDDìDDðDDªED²FDHDÂHDIDID JDXJD`KDæKDºLDZMDúMDPODÿÿÿÿ^’z×[!¢ÒÍø
DA7æÍø¼ODìPDQDœüBh„CHRDSDœüBÌSDüTDVD WDPXDXYD¬YDZD[Dü[D(\D”<C|\D¼\DÄ]DšþB^D¸^DÀ_DÈ`D‚aDØbDàcD6eDðeDgD8ýB²gD8hD@iD¬iD2jDnkD‚KCÚkD”lDmD mD¨nDoDPpD8ýBnpD¦pDqDæqDÔrDÿÿÿÿoÁ}A[!/Ÿ$´ WA€¤$´*tD¦tDætDÚuDövDJwDžwD~xDšyDzDözD{D&{Df{D’{Dæ{D²|D}D”<CJ~D²~DjDr€DDTD(‚Dâ‚D‚ƒDŠ„Dx…D2†DP†D$‡DˆDXwC‰Dö·Cl‰D@ŠDxŠDʊDҋD
ŒD–SC¾(DªŒDȌDêDD’DšþBšD¢‘D’Dd“DÿÿÿÿK|Ž[!h´‚ò\A%t´‚”D”D¶•Dâ•D"–DږD”<Cö—D6˜Dî˜D’™Dú™Dh„C*›D¦›D֜DfD’D{DÌ?C¾j\GC\GC”|NE@ûßÕº!À¨ePÀ>P.jD&žD”<C>žDøžD0ŸD8 Dp DÆ¡DšþBšþB´¢DT£Dr£D”¤D¶¥D¾¦Dú§D©DXªDªD²«Dî¬D­D¤hCà­DήD ¯DCr¯D°Dd°D8±DرD^²Dÿÿÿÿ$3À[!ëÐË4iAxÛË4°²D,³D€³Dè³D´´Dà´DÄbCf{D¬µD¶D¶D·D(¸Dô¸Dä?C ¹DöB¸D(ºDöB»DÔ»DŒ¼D0½D¾DؾD*¿D|¿D„ÀDŒÁDPpDN˜CÈÂDÄDÅD.ÆD„ÇD¼ÇD(ÈDÈÈD4ÉDîÉDŽÊDËDÌDXÍD”ÎDÐÏDØÐDxÑD2ÒDˆÓDBÔDâÔDÐÕDÿÿÿÿ<pӊ[!7U!sAAKU!×D8×DØD€ØD$ÙDÜÙDXÚDÛD´ÛDÜDÀÜDxÝDÞDèÞDÜßDáDØáD|âDpãD„ðCdäD”åDèåD‚KCPæD>çDªçDJèDC éDtêDÊëDPpD¸ìDôíDXªD®îDhïD”C ïDòïDDðDñDPñD¼ñDôñDÈòDT£DôD¤ôD8ýBÂôD|õD¸öDô÷Dÿÿÿÿžæ‹[!Öµ”5D‡A¿”5”øD$ùDúDlúDœûD¸üD\ýD°ýDöBhþDÐþD8ÿDÈÿD”EèEEEœüBHEdEàE¬EETE(EzE‚EpEÆ	EL
E^²DTEvE®EæE†
EšþB&ExE°E6EnEBE¾(D”EhE EEàEE¼EøE8ýB²EEÿÿÿÿՔq[!%²oÌ~AÄoÌtEE\EÄbC°E,EE°E”<CE E°EÌEH E` E!EE€!E`"EÜ"E0#E¶•D$$E%Ež%E
&E`'E4(Eî(E¤ôD**j\GC\GC”|NE@ûßÕº!À¨ePÀ>PôËE|*ENòCÒ+EÚ,Ez-E.E†.EŽ/Eä0E 2E3Ez3E‚4EšþB¤5E6EDID7En8EÀ8EF9E:Eî:Eÿÿÿÿ*½ôD[!ü­I Ù¢A#´I D<EÌ?Cü<EŒ=EÌ?C€>Eü>EP?Eà?E4@E°@Eð@Eô¸DøAECE¤CEHDEÄDEôEEh„C$GE<GEÌGEHE^HEšIEN˜CÒIEðIE(JEšþBJKEÐKE¤LEìDDàME2NE„NEŒOEÞOEþâC4QEÔQEtRE°SEPTE>UE,VE‚KCæVET£DWE&XEHYE6ZEÿÿÿÿ+2K¡[!Ù9¥Ñ©AVM¥ÑX[E`\Eô¸DT]Eø]E8^EÈ^El_E`E<`EaE$GE$bEh„CÈbEDcEtdEÈdEXeE„eEfEgE8hETiEšþB¦iEzjEÌjE†kEŽlEHmEšmEšþBðnEFpENqEîqE&rEvEúrEšsE:tErtE×CÙCªtE²uEÙCºvEöwE2yEÒIE zEv{E0|EÿÿÿÿH®[!6³c¼A†´c†}E*~Eö~EÂE¢€E˜<CҁEv‚E¶‚EZƒE†ƒEîƒEj„E҄E…EޅEh„C҆EƇEBˆEfDæˆEî‰EºŠEdC؊EƋEèŒEˆEŽEzŽEhEºEŽE.‘EIDj’Er“E‚KCz”Eö·CЕEŠ–E*—E|—EΗEˆ˜EvE™EPpDdšEl›EZœEbEšþBÿÿÿÿYç(õ[!8ÃIÀA?ÈI„žEìžETŸE4 EP¡EX¢E8£EP£E|£E¼£EL¤E@¥Eä¥E°¦E´ÍC§E¬¨E´©E0ªE˜ªEŒ«E„ðC¬Eè¬E­E®EID¯EIDЯE°E°E±EP²EfÝC¼²E³EæVEšþBrtE”³^\GC\GC”|BE4ýëÕº!À¨ePÀ>PÔ«Eœ´EŠµE"4Cx¶E·Ež·EÀ¸E`¹EœºE¤»Eà¼E€½ET¾E\¿Eÿÿÿÿü{Û[!˜±™6ÅAšÅ™6È¿EXÀE¬ÀEŒÁEXÂEüÂEÈÃElÄEf{DˆÅEÜÅEøÆEøcCÄÇE|ÈEh„C4ÉE(ÊE¤ÊEËE”<C´ÍC°ËEðËEÍENÎEÏE^ÐEþÐEìÑE$ÒEN˜CªÒEJÓE‚ÓE<ÔEDÕEšÖET×EÀ×EÈØET£DÚE¾ÚExÛEfÜEÒÜEðIEÞEâÞEÐßE"àE^áEfâE:ãEÿÿÿÿÝ9ÇS[!Ž…–…ÙA•–…\äEœäEöB”<CåE4æEØæE,çE\èExéEàéE\êEŒëEìEh„CðõB¬ìE íEDîEœüB\îEïE0ðEÀðEñE²ñEšþBlòE@óE.ôEèôEÖõEÞöE4øE"ùE^úELûE¸ûErüEÞüEÌýEþEÿEàÿE€Fn4\GC”|½8Õº!À¨ePÀ>j\GC\GC”|NE@ûßÕº!À¨ePÀ>P’gDöBàD„
DxD0DLDDäD°D|DöB˜DŒD‚KCâDÐD¾DxDDTDŒD”D4DÔDDD D$!Dª!DJ"Dl#D¾#DÙCö#D2%D:&DÚ&D®'Dæ'DR(D¾(DÜ(D–)DÒ*Dÿÿÿÿ<YSÓ[!'HëA@A0LëA,DŠ,Dº-DÂ.Dò/D1D>2D’2D¾2DN3DB4DœüB–4D®4D¢5Dö5DœüB”<Cš6DÊ7Dn8Db9Dz9D
:DF;DÌ;DÔ<D&=Dx=D2>D ?DšþBv@D~ADºBDCÂCDDDšDDìDDðDDªED²FDHDÂHDIDID JDXJD`KDæKDºLDZMDúMDPODÿÿÿÿ^’z×[!¢ÒÍø
DA7æÍø¼ODìPDQDœüBh„CHRDSDœüBÌSDüTDVD WDPXDXYD¬YDZD[Dü[D(\D”<C|\D¼\DÄ]DšþB^D¸^DÀ_DÈ`D‚aDØbDàcD6eDðeDgD8ýB²gD8hD@iD¬iD2jDnkD‚KCÚkD”lDmD mD¨nDoDPpD8ýBnpD¦pDqDæqDÔrDÿÿÿÿoÁ}A[!/Ÿ$´ WA€¤$´*tD¦tDætDÚuDövDJwDžwD~xDšyDzDözD{D&{Df{D’{Dæ{D²|D}D”<CJ~D²~DjDr€DDTD(‚Dâ‚D‚ƒDŠ„Dx…D2†DP†D$‡DˆDXwC‰Dö·Cl‰D@ŠDxŠDʊDҋD
ŒD–SC¾(DªŒDȌDêDD’DšþBšD¢‘D’Dd“DÿÿÿÿK|Ž[!h´‚ò\A%t´‚”D”D¶•Dâ•D"–DږD”<Cö—D6˜Dî˜D’™Dú™Dh„C*›D¦›D֜DfD’D{DÌ?C¾j\GC\GC”|NE@ûßÕº!À¨ePÀ>P.jD&žD”<C>žDøžD0ŸD8 Dp DÆ¡DšþBšþB´¢DT£Dr£D”¤D¶¥D¾¦Dú§D©DXªDªD²«Dî¬D­D¤hCà­DήD ¯DCr¯D°Dd°D8±DرD^²Dÿÿÿÿ$3À[!ëÐË4iAxÛË4°²D,³D€³Dè³D´´Dà´DÄbCf{D¬µD¶D¶D·D(¸Dô¸Dä?C ¹DöB¸D(ºDöB»DÔ»DŒ¼D0½D¾DؾD*¿D|¿D„ÀDŒÁDPpDN˜CÈÂDÄDÅD.ÆD„ÇD¼ÇD(ÈDÈÈD4ÉDîÉDŽÊDËDÌDXÍD”ÎDÐÏDØÐDxÑD2ÒDˆÓDBÔDâÔDÐÕDÿÿÿÿ<pӊ[!7U!sAAKU!×D8×DØD€ØD$ÙDÜÙDXÚDÛD´ÛDÜDÀÜDxÝDÞDèÞDÜßDáDØáD|âDpãD„ðCdäD”åDèåD‚KCPæD>çDªçDJèDC éDtêDÊëDPpD¸ìDôíDXªD®îDhïD”C ïDòïDDðDñDPñD¼ñDôñDÈòDT£DôD¤ôD8ýBÂôD|õD¸öDô÷Dÿÿÿÿžæ‹[!Öµ”5D‡A¿”5”øD$ùDúDlúDœûD¸üD\ýD°ýDöBhþDÐþD8ÿDÈÿD”EèEEEœüBHEdEàE¬EETE(EzE‚EpEÆ	EL
E^²DTEvE®EæE†
EšþB&ExE°E6EnEBE¾(D”EhE EEàEE¼EøE8ýB²EEÿÿÿÿՔq[!%²oÌ~AÄoÌtEE\EÄbC°E,EE°E”<CE E°EÌEH E` E!EE€!E`"EÜ"E0#E¶•D$$E%Ež%E
&E`'E4(Eî(E¤ôD**j\GC\GC”|NE@ûßÕº!À¨ePÀ>PôËE|*ENòCÒ+EÚ,Ez-E.E†.EŽ/Eä0E 2E3Ez3E‚4EšþB¤5E6EDID7En8EÀ8EF9E:Eî:Eÿÿÿÿ*½ôD[!ü­I Ù¢A#´I D<EÌ?Cü<EŒ=EÌ?C€>Eü>EP?Eà?E4@E°@Eð@Eô¸DøAECE¤CEHDEÄDEôEEh„C$GE<GEÌGEHE^HEšIEN˜CÒIEðIE(JEšþBJKEÐKE¤LEìDDàME2NE„NEŒOEÞOEþâC4QEÔQEtRE°SEPTE>UE,VE‚KCæVET£DWE&XEHYE6ZEÿÿÿÿ+2K¡[!Ù9¥Ñ©AVM¥ÑX[E`\Eô¸DT]Eø]E8^EÈ^El_E`E<`EaE$GE$bEh„CÈbEDcEtdEÈdEXeE„eEfEgE8hETiEšþB¦iEzjEÌjE†kEŽlEHmEšmEšþBðnEFpENqEîqE&rEvEúrEšsE:tErtE×CÙCªtE²uEÙCºvEöwE2yEÒIE zEv{E0|EÿÿÿÿH®[!6³c¼A†´c†}E*~Eö~EÂE¢€E˜<CҁEv‚E¶‚EZƒE†ƒEîƒEj„E҄E…EޅEh„C҆EƇEBˆEfDæˆEî‰EºŠEdC؊EƋEèŒEˆEŽEzŽEhEºEŽE.‘EIDj’Er“E‚KCz”Eö·CЕEŠ–E*—E|—EΗEˆ˜EvE™EPpDdšEl›EZœEbEšþBÿÿÿÿYç(õ[!8ÃIÀA?ÈI„žEìžETŸE4 EP¡EX¢E8£EP£E|£E¼£EL¤E@¥Eä¥E°¦E´ÍC§E¬¨E´©E0ªE˜ªEŒ«E„ðC¬Eè¬E­E®EID¯EIDЯE°E°E±EP²EfÝC¼²E³EæVEšþBrtE”³^\GC\GC”|BE4ýëÕº!À¨ePÀ>PÔ«Eœ´EŠµE"4Cx¶E·Ež·EÀ¸E`¹EœºE¤»Eà¼E€½ET¾E\¿Eÿÿÿÿü{Û[!˜±™6ÅAšÅ™6È¿EXÀE¬ÀEŒÁEXÂEüÂEÈÃElÄEf{DˆÅEÜÅEøÆEøcCÄÇE|ÈEh„C4ÉE(ÊE¤ÊEËE”<C´ÍC°ËEðËEÍENÎEÏE^ÐEþÐEìÑE$ÒEN˜CªÒEJÓE‚ÓE<ÔEDÕEšÖET×EÀ×EÈØET£DÚE¾ÚExÛEfÜEÒÜEðIEÞEâÞEÐßE"àE^áEfâE:ãEÿÿÿÿÝ9ÇS[!Ž…–…ÙA•–…\äEœäEöB”<CåE4æEØæE,çE\èExéEàéE\êEŒëEìEh„CðõB¬ìE íEDîEœüB\îEïE0ðEÀðEñE²ñEšþBlòE@óE.ôEèôEÖõEÞöE4øE"ùE^úELûE¸ûErüEÞüEÌýEþEÿEàÿE€Fn4\GCB	¥dÀ¨ed*”ÀB5E\GCB\GCB	)E{À¨ed*”ÀB5P³LGET / HTTP/1.1
Cookie: 30502=hzd82+9YWiUqbimpqftTA1as+KidEqUdf8TsS+gXWOw6DA59O70H2lPQrERuZKb2dpHdkP3tLJxPMm6PMhHMTCmkkxQN/BEf6JHLuWeWOlNsbzKRVepzJynMeZAeqEEHpWszR6wRqegxSF/CLHZ4j00DNhtZfYU6qfw+dFf6l8gEtwtNN3hDWxioGpwjkDhjDUcMJwcqeE3ovig8p9vGRC4WAo3rdZyeMxcwini+3Htf6U+cPTXzOiYgjP9THLq4FH5F03W0CZO39XPSfBX77GxXOVb/ZNlEzhnavYLpHcWBEjYi3zAh9izchbRAmi49zrJSYbdqwuPJPTB2D0LIZL/rf4ON2e3dKN5RvX13uCHQYBEHgY4RIoBchuCXiu/ZeJTLMl07oZTkw1yWBOzI0hOIaWhHeVp+pMkODzthKYbu+FiV0ca+FHuLst04m2j6qbR98A==
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 100.42.20.148:53
Connection: Keep-Alive
Cache-Control: no-cache

4\GCE4¯¥dÀ¨ed*”ÀB5m\GCE\GCE4¯QECzêÀ¨ed*”ÀB5P
*GET / HTTP/1.1
Cookie: 34043=Y1/i8Mo7qxnCjfw8p7Dmrk8IQC+4+m2Hj7pyUtC4vHYX0ZmbAK1OqirVkVn0JT/NZCWjSxSVPL/ujaNQ+J178NZffeZqzHpn7rVAkVpZ9MtQFLPfK2N+FUMbWpdinHWHvKSkAA4iacM9qm7Yalh7MsLWiqkPfhuPYFA/PTZjVvdERyyFRI1Elzie9xyatNHgRN3z0yf5UJj3G95fXkeO/sWySOtJQsywBUj3ihwxAwEiaJPnj5/dhtB5ugtGlWyFr2vJrMI4ApB/qW42V9/SoEjVzEAtHlX1lE8cemKJEdfvv5CX2kCwcx5ePun10ro1batNgfpwN/T6G4/Fg7Pn7ayKAPvyGX3VmWspNfgyb6iLf0vW9BjJ/3iGjVJ3610I3wJC8JVJB/Xf0hNYu+liQOovzksWKyjoNfHRk+3Xu42LEtNlR9a/1ZFqRCaqtjUL29KVP5rardolTA3JsKmV2w1+0lqYu3rPlKhFUsTRQ5MvsPZq
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 100.42.20.148:53
Connection: Keep-Alive
Cache-Control: no-cache

4\GCŽC*ãRÊÔ¢À¨e»ÀHÝ\GCŽ\GCŽCÁG® å*¶“ñE³´²€A:RÊÔ¢À¨e»ÀH}\bØDlÔúPúðJ™YU,þz±½t`É­¢¡iHkۀ­ü?}œË‹eé!¢oÍ WQTÈLAéûTPĸsêÇ'ú#÷F°5¥Às]óòÀ
ÿÏËÈÅ0‚Á0‚© 	Ÿè$8‡n0
	*†H†÷
0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0
190121123000Z
200121123000Z0w10	UGB10
ULondon10
ULondon10U
Global Security10U
IT Department10Uexample.com0‚"0
	*†H†÷
‚0‚
‚ÎNR͔BKÎpÞøßFÐÛçgIÖ1X?G;¥1Œpå‹4šQ…>ÑѸ<2Þr"l‰±†ü×ô„ás8ÄmŠ	µÌ8ÉØà{œIâÀåÙ&‚9Úû0´ía'ÌE+ä}ˆc´s¿±~¦
KÛRÌ?SòˆJ˜lv}µòýÜ“»*
+û²;3WYþ<ÿÑHó}¶§æ!@ÀË+R ƒù1mƤ@枿Ù/6  k	‚0iðH€w3rë¸ÁkZÑ(sÀ¡o÷·þs^÷Û„ÀŸ:vöCçaÀØJO‚gÍܽO

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-24-T-11-41-14-01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap.txt - (78166 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:41:14. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2016537      1        2        25193764     9.00   985      3        10744646    25577.43    71543.33    25437.00   
  2        2820157      1        2        32689821     11.68  167      0        6398078     195747.43   0.00        195747.43  
  3        2819664      1        2        26489909     9.47   115      0        5945830     230347.03   0.00        230347.03  
  4        2017552      1        6        19252138     6.88   993      0        5345862     19387.85    0.00        19387.85   
  5        2820158      1        2        31757402     11.35  167      0        4885339     190164.08   0.00        190164.08  
  6        2018375      1        3        1150697      0.41   56       0        388711      20548.16    0.00        20548.16   
  7        2020865      1        3        11111886     3.97   85       0        383712      130728.07   0.00        130728.07  
  8        2008575      1        5        7654983      2.74   1228     0        380818      6233.70     0.00        6233.70    
  9        2803027      1        6        859006       0.31   20       0        346288      42950.30    0.00        42950.30   
  10       2819930      1        2        18516285     6.62   115      0        329958      161011.17   0.00        161011.17  
  11       2016855      1        2        269499       0.10   1        0        269499      269499.00   0.00        269499.00  
  12       2802987      1        5        1254603      0.45   42       0        220511      29871.50    0.00        29871.50   
  13       2804927      1        2        768261       0.27   25       0        205982      30730.44    0.00        30730.44   
  14       2807932      1        6        871430       0.31   5        0        198434      174286.00   0.00        174286.00  
  15       2016854      1        3        190228       0.07   1        0        190228      190228.00   0.00        190228.00  
  16       2819940      1        3        1399386      0.50   9        0        187672      155487.33   0.00        155487.33  
  17       2816510      1        3        1404629      0.50   9        0        186802      156069.89   0.00        156069.89  
  18       2803657      1        5        768487       0.27   21       0        181781      36594.62    0.00        36594.62   
  19       2804907      1        3        455302       0.16   27       0        170657      16863.04    0.00        16863.04   
  20       2801929      1        7        956439       0.34   26       0        164287      36786.12    0.00        36786.12   
  21       2804906      1        3        551646       0.20   18       0        154373      30647.00    0.00        30647.00   
  22       2802991      1        5        487223       0.17   19       0        153366      25643.32    0.00        25643.32   
  23       2801930      1        7        927381       0.33   26       0        153363      35668.50    0.00        35668.50   
  24       2021749      1        6        293641       0.10   5        0        148543      58728.20    0.00        58728.20   
  25       2023476      1        5        1254636      0.45   11       0        145318      114057.82   0.00        114057.82  
  26       2804911      1        3        310102       0.11   15       0        141411      20673.47    0.00        20673.47   
  27       2809923      1        2        584235       0.21   6        0        134863      97372.50    0.00        97372.50   
  28       2816922      1        5        313172       0.11   7        0        124626      44738.86    0.00        44738.86   
  29       2809747      1        2        123578       0.04   1        0        123578      123578.00   0.00        123578.00  
  30       2827279      1        5        193832       0.07   8        0        120277      24229.00    0.00        24229.00   
  31       2018358      1        7        503178       0.18   6        1        118430      83863.00    27245.00    95186.60   
  32       2809855      1        2        562192       0.20   6        0        115442      93698.67    0.00        93698.67   
  33       2021375      1        2        554637       0.20   6        0        112367      92439.50    0.00        92439.50   
  34       2809981      1        3        552705       0.20   6        0        109743      92117.50    0.00        92117.50   
  35       2808503      1        2        546147       0.20   6        0        107333      91024.50    0.00        91024.50   
  36       2021013      1        6        412935       0.15   5        5        97243       82587.00    82587.00    0.00       
  37       2815324      1        2        224230       0.08   5        0        91113       44846.00    0.00        44846.00   
  38       2816940      1        2        431869       0.15   7        0        89759       61695.57    0.00        61695.57   
  39       2830701      1        1        100132       0.04   4        0        89691       25033.00    0.00        25033.00   
  40       2014819      1        3        89531        0.03   1        0        89531       89531.00    0.00        89531.00   
  41       2019832      1        4        446333       0.16   6        0        89165       74388.83    0.00        74388.83   
  42       2806020      1        2        89096        0.03   1        0        89096       89096.00    0.00        89096.00   
  43       2014471      1        6        87403        0.03   1        0        87403       87403.00    0.00        87403.00   
  44       2810654      1        4        601086       0.21   10       10       86176       60108.60    60108.60    0.00       
  45       2020308      1        3        85069        0.03   1        0        85069       85069.00    0.00        85069.00   
  46       2821615      1        2        313097       0.11   8        0        82154       39137.12    0.00        39137.12   
  47       2013036      1        7        81297        0.03   1        0        81297       81297.00    0.00        81297.00   
  48       2816909      1        2        452864       0.16   7        0        80785       64694.86    0.00        64694.86   
  49       2826256      1        2        356730       0.13   11       0        79669       32430.00    0.00        32430.00   
  50       2021946      1        2        353257       0.13   6        0        78844       58876.17    0.00        58876.17   
  51       2018005      1        6        594720       0.21   11       0        78389       54065.45    0.00        54065.45   
  52       2020388      1        8        257851       0.09   7        0        77985       36835.86    0.00        36835.86   
  53       2814978      1        2        151088       0.05   5        0        77918       30217.60    0.00        30217.60   
  54       2816910      1        2        431459       0.15   7        0        77794       61637.00    0.00        61637.00   
  55       2815254      1        7        77580        0.03   1        0        77580       77580.00    0.00        77580.00   
  56       2807400      1        3        236511       0.08   5        0        76838       47302.20    0.00        47302.20   
  57       2022535      1        11       591507       0.21   11       0        76760       53773.36    0.00        53773.36   
  58       2828008      1        2        145280       0.05   8        0        76318       18160.00    0.00        18160.00   
  59       2804508      1        2        76245        0.03   1        0        76245       76245.00    0.00        76245.00   
  60       2816327      1        4        300320       0.11   7        0        76182       42902.86    0.00        42902.86   
  61       2819694      1        2        539643       0.19   115      0        74873       4692.55     0.00        4692.55    
  62       2019344      1        5        263320       0.09   5        0        72199       52664.00    0.00        52664.00   
  63       2018241      1        2        118953       0.04   2        0        69113       59476.50    0.00        59476.50   
  64       2814979      1        2        138791       0.05   5        0        67400       27758.20    0.00        27758.20   
  65       2830124      1        1        67126        0.02   1        0        67126       67126.00    0.00        67126.00   
  66       2022339      1        2        268558       0.10   5        0        66120       53711.60    0.00        53711.60   
  67       2821561      1        2        229585       0.08   5        0        65265       45917.00    0.00        45917.00   
  68       2022627      1        12       560095       0.20   11       0        64892       50917.73    0.00        50917.73   
  69       2025064      1        5        307160       0.11   7        0        64585       43880.00    0.00        43880.00   
  70       2806802      1        2        7652729      2.73   378      0        63906       20245.31    0.00        20245.31   
  71       2023711      1        2        114396       0.04   2        0        63267       57198.00    0.00        57198.00   
  72       2018959      1        3        113236       0.04   2        2        61276       56618.00    56618.00    0.00       
  73       2821839      1        2        60166        0.02   1        0        60166       60166.00    0.00        60166.00   
  74       2820851      1        5        280888       0.10   7        0        59682       40126.86    0.00        40126.86   
  75       2819857      1        1        169027       0.06   5        0        59064       33805.40    0.00        33805.40   
  76       2022198      1        2        86826        0.03   2        0        58951       43413.00    0.00        43413.00   
  77       2830764      1        2        1521247      0.54   144      0        58818       10564.22    0.00        10564.22   
  78       2018982      1        2        240493       0.09   5        0        58457       48098.60    0.00        48098.60   
  79       2013352      1        4        110759       0.04   2        0        57439       55379.50    0.00        55379.50   
  80       2811275      1        8        57353        0.02   1        0        57353       57353.00    0.00        57353.00   
  81       2018958      1        18       225288       0.08   5        0        56915       45057.60    0.00        45057.60   
  82       2811447      1        2        1784840      0.64   66       0        56780       27043.03    0.00        27043.03   
  83       2823570      1        4        66495        0.02   4        0        55599       16623.75    0.00        16623.75   
  84       2823263      1        3        83852        0.03   2        0        55192       41926.00    0.00        41926.00   
  85       2805985      1        2        230362       0.08   5        0        54434       46072.40    0.00        46072.40   
  86       2018452      1        15       204111       0.07   5        0        54218       40822.20    0.00        40822.20   
  87       2012707      1        5        301178       0.11   10       0        54214       30117.80    0.00        30117.80   
  88       2815483      1        6        54160        0.02   1        0        54160       54160.00    0.00        54160.00   
  89       2810481      1        4        3299285      1.18   163      0        53313       20241.01    0.00        20241.01   
  90       2819887      1        2        67584        0.02   2        0        53181       33792.00    0.00        33792.00   
  91       2822213      1        2        134521       0.05   11       0        52992       12229.18    0.00        12229.18   
  92       2816328      1        5        259485       0.09   7        0        52936       37069.29    0.00        37069.29   
  93       2019693      1        5        190863       0.07   5        0        52487       38172.60    0.00        38172.60   
  94       2019737      1        2        52149        0.02   1        1        52149       52149.00    52149.00    0.00       
  95       2808234      1        1        210701       0.08   5        0        51866       42140.20    0.00        42140.20   
  96       2020569      1        1        213978       0.08   5        0        51464       42795.60    0.00        42795.60   
  97       2022050      1        3        223414       0.08   5        0        51040       44682.80    0.00        44682.80   
  98       2009028      1        11       96297        0.03   2        0        50967       48148.50    0.00        48148.50   
  99       2024767      1        2        176232       0.06   5        0        49927       35246.40    0.00        35246.40   
  100      2809267      1        8        49926        0.02   1        0        49926       49926.00    0.00        49926.00   
  101      2023670      1        3        195035       0.07   6        1        49794       32505.83    11279.00    36751.20   
  102      2816165      1        5        394039       0.14   11       0        49711       35821.73    0.00        35821.73   
  103      2815482      1        6        49315        0.02   1        0        49315       49315.00    0.00        49315.00   
  104      2826058      1        2        141378       0.05   6        0        49260       23563.00    0.00        23563.00   
  105      2809859      1        6        49059        0.02   1        0        49059       49059.00    0.00        49059.00   
  106      2816928      1        3        230797       0.08   7        0        48716       32971.00    0.00        32971.00   
  107      2022552      1        2        3148126      1.12   158      0        48608       19924.85    0.00        19924.85   
  108      2024272      1        4        58394        0.02   4        0        48464       14598.50    0.00        14598.50   
  109      2020797      1        2        48388        0.02   1        0        48388       48388.00    0.00        48388.00   
  110      2022220      1        2        191563       0.07   5        0        48206       38312.60    0.00        38312.60   
  111      2827575      1        2        169458       0.06   5        0        48097       33891.60    0.00        33891.60   
  112      2816929      1        4        208707       0.07   7        0        47614       29815.29    0.00        29815.29   
  113      2829607      1        1        47550        0.02   1        0        47550       47550.00    0.00        47550.00   
  114      2014353      1        6        92019        0.03   2        0        46823       46009.50    0.00        46009.50   
  115      2826029      1        3        217318       0.08   6        0        46784       36219.67    0.00        36219.67   
  116      2008438      1        20       212666       0.08   5        0        46458       42533.20    0.00        42533.20   
  117      2009909      1        10       182543       0.07   5        0        46401       36508.60    0.00        36508.60   
  118      2815534      1        2        46395        0.02   1        0        46395       46395.00    0.00        46395.00   
  119      2012612      1        16       180868       0.06   7        0        46269       25838.29    0.00        25838.29   
  120      2830035      1        2        46187        0.02   1        0        46187       46187.00    0.00        46187.00   
  121      2016502      1        2        490645       0.18   96       0        45869       5110.89     0.00        5110.89    
  122      2025162      1        2        45805        0.02   1        0        45805       45805.00    0.00        45805.00   
  123      2024909      1        2        1278929      0.46   66       0        45743       19377.71    0.00        19377.71   
  124      2019141      1        3        45021        0.02   1        0        45021       45021.00    0.00        45021.00   
  125      2021067      1        2        1

This file has been truncated. Go here to download in full.


packet_stats.log - (13286 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          6900          1888601     1226915007     908223331       6266.7b   99.88
 IPv4      17            12         16585733     1075632592     615345212          7.4b    0.12
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          6900            66016       26493107        208528          1.4b   95.05
TMM_FLOWWORKER              IPv4      17            12           365123       10039142       1377888         16.5m    1.09
TMM_RECEIVEPCAPFILE         IPv4       6          6888             2540       13591835          4902         33.8m    2.23
TMM_RECEIVEPCAPFILE         IPv4      17            12             2568          10812          3450         41.4k    0.00
TMM_DECODEPCAPFILE          IPv4       6          6888             2645        4490426          3559         24.5m    1.62
TMM_DECODEPCAPFILE          IPv4      17            12             2792          18754          4513         54.2k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          6888             2707         141040          3330         22.9m  1.73  
flow                    IPv4      17            12             3220          18701          6548         78.6k  0.01  
stream                  IPv4       6          6900             2673         567725          6776         46.8m  3.53  
app-layer               IPv4      17            12            10248          76414         23691        284.3k  0.02  
detect                  IPv4       6          6900            44504       26380932        177051          1.2b  92.28 
detect                  IPv4      17            12           304536         787536        465735          5.6m  0.42  
tcp-prune               IPv4       6          6900             2538        6034012          3850         26.6m  2.01  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             9             4771          61766         19735        177.6k  52.83 
tls                     IPv4       6            22             2678           6822          3051         67.1k  19.97 
dns                     IPv4      17            12             4828          14122          7623         91.5k  27.21 
Proto detect            IPv4      17            10             6909          29848         12820        128.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            25            15571         102278         39144        978.6k  5.71  
LOGGER_ALERT_FAST           IPv4      17             1            45268          45268         45268         45.3k  0.26  
LOGGER_UNIFIED2             IPv4       6            25            19855         175355         49878          1.2m  7.28  
LOGGER_UNIFIED2             IPv4      17             1            25307          25307         25307         25.3k  0.15  
LOGGER_JSON_ALERT           IPv4       6            25            38832         133478         69213          1.7m  10.10 
LOGGER_JSON_ALERT           IPv4      17             1            67041          67041         67041         67.0k  0.39  
LOGGER_JSON_DNS             IPv4      17            12            32894        9279261        845391         10.1m  59.21 
LOGGER_JSON_HTTP            IPv4       6            11            37733         196058         99869          1.1m  6.41  
LOGGER_JSON_TLS             IPv4       6            11            34429          79010         51308        564.4k  3.29  
LOGGER_JSON_FILE            IPv4       6            11            62786         208373        111899          1.2m  7.18  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          2463             2586        1741596         18679        46.0m  12.29 
payload                           IPv4      17            12            20502         123490         47236       566.8k  0.15  
stream                            IPv4       6          2463             2533        9688765         31832        78.4m  20.94 
http_uri                          IPv4       6            11             4048          55603         14613       160.7k  0.04  
http_request_line                 IPv4       6            11             4202          12162          6862        75.5k  0.02  
http_client_body                  IPv4       6            15             2726         274652         25188       377.8k  0.10  
http_header (request)             IPv4       6            11             9723         217157         81650       898.2k  0.24  
http_header (request trailer)     IPv4       6            11             2595           3248          2753        30.3k  0.01  
http_header_names (request)       IPv4       6            11            11624          23506         18719       205.9k  0.06  
http_accept (request)             IPv4       6            11             3319           6771          3983        43.8k  0.01  
http_referer (request)            IPv4       6            11             3061           3940          3396        37.4k  0.01  
http_content_len (request)        IPv4       6            11             2918           5425          3697        40.7k  0.01  
http_content_type (request)       IPv4       6            11             3262          30031          6540        71.9k  0.02  
http_protocol (request)           IPv4       6            11             4192           6956          5394        59.3k  0.02  
http_start (request)              IPv4       6            11             7723          32154         16327       179.6k  0.05  
http_raw_header (request)         IPv4       6            15             3880          30330         12396       185.9k  0.05  
http_method                       IPv4       6            11             4837           8331          6546        72.0k  0.02  
http_cookie (request)             IPv4       6            11             2991          16225          8376        92.1k  0.02  
http_raw_uri                      IPv4       6            11             2991           8275          5353        58.9k  0.02  
http_user_agent                   IPv4       6            11             2765         140042         39855       438.4k  0.12  
http_host                         IPv4       6            11             3385          31046          8772        96.5k  0.03  
dns_query                         IPv4      17             6             7941          11746          9778        58.7k  0.02  
tls_sni                           IPv4       6            11             2647          18760          4239        46.6k  0.01  
http_response_line                IPv4       6            11             6408          14623         10117       111.3k  0.03  
http_header (response)            IPv4       6            11            20839          83647         50066       550.7k  0.15  
http_header (response trailer)    IPv4       6            11             2597         114116         25210       277.3k  0.07  
http_content_type (response)      IPv4       6            11             4634          28566         10274       113.0k  0.03  
http_raw_header (response)        IPv4       6          2336             3472          57983          5307        12.4m  3.31  
http_cookie (response)            IPv4       6            11             3114           7730          4026        44.3k  0.01  
http_stat_code                    IPv4       6            11             3017           4981          3933        43.3k  0.01  
tls_cert_issuer                   IPv4       6            11             4017           7389          6030        66.3k  0.02  
tls_cert_subject                  IPv4       6            11             6457          22649         11209       123.3k  0.03  
tls_cert_serial                   IPv4       6            11             3319           6370          4781        52.6k  0.01  
file_data (http response)         IPv4       6          2325             2561       25058347         99933       232.3m  62.07 
Total                             IPv4                  9921                                         37731       374.3m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            60             3447         100052         44818          2.7m  0.16  
PROF_DETECT_IPONLY          IPv4      17            12            37891         121257         63822        765.9k  0.05  
PROF_DETECT_RULES           IPv4       6          6900             2519       10772600         47103        325.0m  19.69 
PROF_DETECT_RULES           IPv4      17            12           142629         406881        250168          3.0m  0.18  
PROF_DETECT_STATEFUL_START    IPv4       6          1527             5094        6848488         95324        145.6m  8.82  
PROF_DETECT_STATEFUL_CONT    IPv4       6          6900             2507         422231          9020         62.2m  3.77  
PROF_DETECT_STATEFUL_CONT    IPv4      17            12             5263          92266         14161        169.9k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          6776             2544         382560          2905         19.7m  1.19  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             2667           3855          3067         36.8k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          6900             7826       25417123         78508        541.7m  32.81 
PROF_DETECT_PREFILTER       IPv4      17            12            47921         186127         84027          1.0m  0.06  
PROF_DETECT_PF_PAYLOAD      IPv4       6          2463            13468        9718422         59155        145.7m  8.83  
PROF_DETECT_PF_PAYLOAD      IPv4      17            12            25882         128658         52523        630.3k  0.04  
PROF_DETECT_PF_TX           IPv4       6          6776             2568       25085886         41947        284.2m  17.22 
PROF_DETECT_PF_TX           IPv4      17             6            13900          25496         17776        106.7k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1404             2525        6033364          7581         10.6m  0.64  
PROF_DETECT_PF_SORT1        IPv4      17            12             3890           6117          4658         55.9k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          6900             2510         384718          2903         20.0m  1.21  
PROF_DETECT_PF_SORT2        IPv4      17            12             3039           5048          3952         47.4k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          6900             2529          46635          2993         20.7m  1.25  
PROF_DETECT_NONMPMLIST      IPv4      17            12             2776           4312          3473         41.7k  0.00  
PROF_DETECT_ALERT           IPv4       6          6900             2516        6137504          3663         25.3m  1.53  
PROF_DETECT_ALERT           IPv4      17            12             2525          13566          3761         45.1k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          6900             2553          39923          2913         20.1m  1.22  
PROF_DETECT_CLEANUP         IPv4      17            12             3168           6355          4146         49.8k  0.00  
PROF_DETECT_GETSGH          IPv4       6          6900             2512          65358          3096         21.4m  1.29  
PROF_DETECT_GETSGH          IPv4      17            12             5441          13983          6596         79.2k  0.00  


stats.log - (2847 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 11:41:14 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 6900
decoder.bytes                              | Total                     | 5653416
decoder.ipv4                               | Total                     | 6900
decoder.ethernet                           | Total                     | 6900
decoder.tcp                                | Total                     | 6888
decoder.udp                                | Total                     | 12
decoder.avg_pkt_size                       | Total                     | 819
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 30
flow.udp                                   | Total                     | 6
tcp.sessions                               | Total                     | 30
tcp.syn                                    | Total                     | 50
tcp.synack                                 | Total                     | 20
tcp.rst                                    | Total                     | 15
detect.alert                               | Total                     | 36
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 1
app_layer.flow.http                        | Total                     | 9
app_layer.tx.http                          | Total                     | 11
app_layer.flow.tls                         | Total                     | 11
app_layer.flow.dns_udp                     | Total                     | 6
app_layer.tx.dns_udp                       | Total                     | 6
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 4
flow_mgr.flows_notimeout                   | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65532
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076608


eve.json - (36386 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2019-01-22T16:20:47.379627+0000","flow_id":1372767159044843,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.3.101","src_port":59818,"dest_ip":"192.168.3.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54896,"rrname":"wolfgieten.nl","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:20:47.479201+0000","flow_id":1372767159044843,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":59818,"proto":"UDP","dns":{"type":"answer","id":54896,"rcode":"NOERROR","rrname":"wolfgieten.nl","rrtype":"A","ttl":5,"rdata":"185.56.147.100"}}
{"timestamp":"2019-01-22T16:20:48.287499+0000","flow_id":665358128075521,"pcap_cnt":51,"event_type":"alert","src_ip":"185.56.147.100","src_port":80,"dest_ip":"192.168.3.101","dest_port":49207,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2020657,"rev":2,"signature":"ET TROJAN Possible malicious Office doc hidden in XML file","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:20:48.572261+0000","flow_id":1452483899603813,"pcap_cnt":125,"event_type":"dns","src_ip":"192.168.3.101","src_port":52566,"dest_ip":"192.168.3.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61130,"rrname":"wolfgieten.nl","rrtype":"NS","tx_id":0}}
{"timestamp":"2019-01-22T16:20:48.673158+0000","flow_id":1452483899603813,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":52566,"proto":"UDP","dns":{"type":"answer","id":61130,"rcode":"NOERROR","rrname":"wolfgieten.nl","rrtype":"NS","ttl":5,"rdata":"een.dnssrv.nl"}}
{"timestamp":"2019-01-22T16:20:48.673158+0000","flow_id":1452483899603813,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":52566,"proto":"UDP","dns":{"type":"answer","id":61130,"rcode":"NOERROR","rrname":"wolfgieten.nl","rrtype":"NS","ttl":5,"rdata":"drie.dnssrv.nl"}}
{"timestamp":"2019-01-22T16:20:48.673158+0000","flow_id":1452483899603813,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":52566,"proto":"UDP","dns":{"type":"answer","id":61130,"rcode":"NOERROR","rrname":"wolfgieten.nl","rrtype":"NS","ttl":5,"rdata":"twee.dnssrv.nl"}}
{"timestamp":"2019-01-22T16:20:48.885384+0000","flow_id":665358128075521,"pcap_cnt":247,"event_type":"http","src_ip":"192.168.3.101","src_port":49207,"dest_ip":"185.56.147.100","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"wolfgieten.nl","url":"\/juue-4A_UjsYkEk-KmX\/PaymentStatus\/En_us\/Invoice-for-w\/q-01\/22\/2019\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml"}}
{"timestamp":"2019-01-22T16:20:53.691391+0000","flow_id":665358128075521,"pcap_cnt":249,"event_type":"fileinfo","src_ip":"185.56.147.100","src_port":80,"dest_ip":"192.168.3.101","dest_port":49207,"proto":"TCP","http":{"hostname":"wolfgieten.nl","url":"\/juue-4A_UjsYkEk-KmX\/PaymentStatus\/En_us\/Invoice-for-w\/q-01\/22\/2019\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":204051},"app_proto":"http","fileinfo":{"filename":"4358330066714301995.doc","gaps":false,"state":"CLOSED","stored":false,"size":203829,"tx_id":0}}
{"timestamp":"2019-01-22T16:21:20.986746+0000","flow_id":62789250977402,"pcap_cnt":253,"event_type":"dns","src_ip":"192.168.3.101","src_port":60324,"dest_ip":"192.168.3.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36659,"rrname":"www.apf-entreprises80.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:21:21.086500+0000","flow_id":62789250977402,"pcap_cnt":254,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":60324,"proto":"UDP","dns":{"type":"answer","id":36659,"rcode":"NOERROR","rrname":"www.apf-entreprises80.com","rrtype":"CNAME","ttl":5,"rdata":"apf-entreprises80.com"}}
{"timestamp":"2019-01-22T16:21:21.086500+0000","flow_id":62789250977402,"pcap_cnt":254,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":60324,"proto":"UDP","dns":{"type":"answer","id":36659,"rcode":"NOERROR","rrname":"apf-entreprises80.com","rrtype":"A","ttl":5,"rdata":"213.186.33.17"}}
{"timestamp":"2019-01-22T16:21:21.578227+0000","flow_id":1922044086283302,"pcap_cnt":261,"event_type":"http","src_ip":"192.168.3.101","src_port":49214,"dest_ip":"213.186.33.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.apf-entreprises80.com","url":"\/gH9Eq6Qp2qBAsbN","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:21:21.578308+0000","flow_id":1922044086283302,"pcap_cnt":262,"event_type":"fileinfo","src_ip":"213.186.33.17","src_port":80,"dest_ip":"192.168.3.101","dest_port":49214,"proto":"TCP","http":{"hostname":"www.apf-entreprises80.com","url":"\/gH9Eq6Qp2qBAsbN","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.apf-entreprises80.com\/gH9Eq6Qp2qBAsbN\/","length":257},"app_proto":"http","fileinfo":{"filename":"\/gH9Eq6Qp2qBAsbN","gaps":false,"state":"CLOSED","stored":false,"size":257,"tx_id":0}}
{"timestamp":"2019-01-22T16:21:22.300156+0000","flow_id":1922044086283302,"pcap_cnt":333,"event_type":"alert","src_ip":"213.186.33.17","src_port":80,"dest_ip":"192.168.3.101","dest_port":49214,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:21:22.300156+0000","flow_id":1922044086283302,"pcap_cnt":333,"event_type":"alert","src_ip":"213.186.33.17","src_port":80,"dest_ip":"192.168.3.101","dest_port":49214,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-22T16:21:22.300156+0000","flow_id":1922044086283302,"pcap_cnt":333,"event_type":"alert","src_ip":"213.186.33.17","src_port":80,"dest_ip":"192.168.3.101","dest_port":49214,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-22T16:21:23.521602+0000","flow_id":1922044086283302,"pcap_cnt":1369,"event_type":"http","src_ip":"192.168.3.101","src_port":49214,"dest_ip":"213.186.33.17","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.apf-entreprises80.com","url":"\/gH9Eq6Qp2qBAsbN\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2019-01-22T16:22:26.788762+0000","flow_id":1591237119407769,"pcap_cnt":1382,"event_type":"alert","src_ip":"192.168.3.101","src_port":49218,"dest_ip":"100.42.20.148","dest_port":53,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2008420,"rev":4,"signature":"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:22:29.423676+0000","flow_id":1591237119407769,"pcap_cnt":2739,"event_type":"http","src_ip":"192.168.3.101","src_port":49218,"dest_ip":"100.42.20.148","dest_port":53,"proto":"TCP","tx_id":0,"http":{"hostname":"100.42.20.148","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:22:29.485258+0000","flow_id":1591237119407769,"pcap_cnt":2741,"event_type":"fileinfo","src_ip":"100.42.20.148","src_port":53,"dest_ip":"192.168.3.101","dest_port":49218,"proto":"TCP","http":{"hostname":"100.42.20.148","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1102324},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":1102324,"tx_id":0}}
{"timestamp":"2019-01-22T16:22:29.799919+0000","flow_id":1591237119407769,"pcap_cnt":2744,"event_type":"alert","src_ip":"192.168.3.101","src_port":49218,"dest_ip":"100.42.20.148","dest_port":53,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2008420,"rev":4,"signature":"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:22:29.799919+0000","flow_id":1591237119407769,"pcap_cnt":2744,"event_type":"http","src_ip":"192.168.3.101","src_port":49218,"dest_ip":"100.42.20.148","dest_port":53,"proto":"TCP","tx_id":1,"http":{"hostname":"100.42.20.148","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-22T16:23:34.907480+0000","flow_id":1591237119407769,"pcap_cnt":2761,"event_type":"fileinfo","src_ip":"100.42.20.148","src_port":53,"dest_ip":"192.168.3.101","dest_port":49218,"proto":"TCP","http":{"hostname":"100.42.20.148","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-22T16:23:42.017177+0000","flow_id":161169781154612,"pcap_cnt":2772,"event_type":"alert","src_ip":"82.202.212.162","src_port":443,"dest_ip":"192.168.3.101","dest_port":49224,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-22T16:23:42.025917+0000","flow_id":161169781154612,"pcap_cnt":2773,"event_type":"tls","src_ip":"192.168.3.101","src_port":49224,"dest_ip":"82.202.212.162","dest_port":443,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2019-01-22T16:23:42.025996+0000","flow_id":161169781154612,"pcap_cnt":2774,"event_type":"alert","src_ip":"82.202.212.162","src_port":443,"dest_ip":"192.168.3.101","dest_port":49224,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-22T16:23:42.025996+0000","flow_id":161169781154612,"pcap_cnt":2774,"event_type":"alert","src_ip":"82.202.212.162","src_port":443,"dest_ip":"192.168.3.101","dest_port":49224,"proto":"TCP","app_proto":"tls","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-22T16:23:57.814648+0000","flow_id":443628306394680,"pcap_cnt":2783,"event_type":"alert","src_ip":"192.168.3.101","src_port":57631,"dest_ip":"192.168.3.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2821116,"rev":2,"signature":"ETPRO POLICY External IP DNS Lookup wtfismyip","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"dns"}
{"timestamp":"2019-01-22T16:23:57.814648+0000","flow_id":443628306394680,"pcap_cnt":2783,"event_type":"dns","src_ip":"192.168.3.101","src_port":57631,"dest_ip":"192.168.3.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23197,"rrname":"wtfismyip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-22T16:23:57.889415+0000","flow_id":443628306394680,"pcap_cnt":2784,"event_type":"dns","src_ip":"192.168.3.1","src_port":53,"dest_ip":"192.168.3.101","dest_port":57631,"proto":"UDP","dns":{"type":"answer","id":23197,"rcode":"NOERROR","rrname":"wtfismyip.com","rrtype":"A","ttl":5,"rdata":"198.27.74.146"}}
{"timestamp":"2019-01-22T16:23:58.316309+0000","flow_id":740217273033641,"pcap_cnt":2794,"event_type":"alert","src_ip":"192.168.3.101","src_port":49225,"dest_ip":"198.27.74.146","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019737,"rev":2,"signature":"ET POLICY IP Check wtfismyip.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-22T16:23:58.316309+0000","flow_id":740217273033641,"pcap_cnt":2794,"event_type":"http","src_ip":"192.168.3.101","src_port":49225,"dest_ip":"198.27.74.146","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"wtfismyip.com","url":"\/text","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.2228.0 Safari\/537.36","http_content_type":"text\/plain"}}
{"timestamp":"2019-01-22T16:23:58.913740+0000","flow_id":1472773337567634,"pcap_cnt":2802,"event_type":"alert","src_ip":"107.173.104.160","src_port":447,"dest_ip":"192.168.3.101","dest_port":49226,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-22T16:23:58.922436+0000","flow_id":1472773337567634,"pcap_cnt":2803,"event_type":"tls","src_ip":"192.168.3.101","src_port":49226,"dest_ip":"107.173.104.160","dest_port":447,"proto":"TCP","tls":{"subject":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","issuerdn":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com"}}
{"timestamp":"2019-01-22T16:23:58.922517+0000","flow_id":1472773337567634,"pcap_cnt":2804,"event_type":"alert","src_ip":"107.173.104.160","src_port":447,"dest_ip":"192.168.3.101","dest_port":49226,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2021013,"rev":6,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2019-01-22T16:23:58.922517+0000","flow_id":1472773337567634,"pcap_cnt":2804,"event_type":"alert","src_ip":"107.173.104.160","src_port":447,"dest_ip":"192.168.3.101","dest_port":49226,"proto":"TCP","app_proto":"tls","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY Possibly Suspicious example.com SSL Cert","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-01-22T16:24:11.858516+0000","flow_id":740217273033641,"pcap_cnt":5586,"event_type":"fileinfo","src_ip":"198.27.74.146","src_port":80,"dest_ip":"192.168.3.101","dest_port":49225,"proto":"TCP","http":{"hostname":"wtfismyip.com","url":"\/text","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.2228.0 Safari\/537.36","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":15},"app_proto":"http","fileinfo":{"filename":"\/text","gaps":false,"state":"CLOSED","stored":false,"size":15,"tx_id":0}}
{"timestamp":"2019-01-22T16:24:12.121120+0000","flow_id":2111626101358919,"pcap_cnt":5620,"event_type":"alert","src_ip":"82.202.212.162","src_port":443,"dest_ip":"192.168.3.101","dest_port":49229,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810654,"rev":4,"signature":"ETPRO POLICY 

This file has been truncated. Go here to download in full.


keyword_perf.log - (16964 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 11:41:14
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            12911           2               2               9708            6455.00         6455.00         0.00           
  flow             25869831        4982            4982            10723609        5192.00         5192.00         0.00           
  content          100789978       5199            1973            6377508         19386.00        17828.00        20339.00       
  pcre             3826952         884             134             46427           4329.00         5301.00         4155.00        
  byte_test        927432          301             92              17269           3081.00         3676.00         2819.00        
  byte_jump        196347          61              34              9425            3218.00         3254.00         3174.00        
  isdataat         17018           6               1               3260            2836.00         2602.00         2883.00        
  flowbits         2178974         712             46              31791           3060.00         3622.00         3021.00        
  urilen           570282          168             42              11995           3394.00         3538.00         3346.00        
  byte_extract     23384           8               8               4033            2923.00         2923.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  dsize            12911           2               2               9708            6455.00         6455.00         0.00           
  flow             25869831        4982            4982            10723609        5192.00         5192.00         0.00           
  flowbits         2119262         702             36              31791           3018.00         2970.00         3021.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12670531        1924            769             382785          6585.00         5808.00         7102.00        
  pcre             584231          138             82              16978           4233.00         4057.00         4491.00        
  byte_test        927432          301             92              17269           3081.00         3676.00         2819.00        
  byte_jump        151873          47              20              9425            3231.00         3308.00         3174.00        
  isdataat         17018           6               1               3260            2836.00         2602.00         2883.00        
  byte_extract     23384           8               8               4033            2923.00         2923.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         59712           10              10              12851           5971.00         5971.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          366867          93              24              21262           3944.00         4009.00         3922.00        
  pcre             407733          49              5               32736           8321.00         5673.00         8621.00        
  urilen           570282          168             42              11995           3394.00         3538.00         3346.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          145513          23              7               18172           6326.00         6485.00         6257.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42499           10              0               11042           4249.00         0.00            4249.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          83305961        2100            509             6377508         39669.00        54306.00        34986.00       
  pcre             2175279         604             0               46427           3601.00         0.00            3601.00        
  byte_jump        44474           14              14              4223            3176.00         3176.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2798652         640             498             18953           4372.00         4439.00         4138.00        
  pcre             554827          75              34              28536           7397.00         8082.00         6829.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          175155          40              25              10388           4378.00         4763.00         3738.00        
  pcre             9640            1               0               9640            9640.00         0.00            9640.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          37881           10              10              4301            3788.00         3788.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3054            1               1               3054            3054.00         3054.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7504            2               0               3973            3752.00         0.00            3752.00        
  pcre             11973           2               0               6572            5986.00         0.00            5986.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          87635           25              13              8565            3505.00         3986.00         2984.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             17550           1               1               17550           17550.00        17550.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          608804          156             99              16655           3902.00         4231.00         3330.00        
  pcre             65719           14              12              5658            4694.00         4745.00         4385.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7458            2               0               4188            3729.00         0.00            3729.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          61376           17              6               4357            3610.00         3584.00         3624.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          61857           12              12              16150           5154.00         5154.00         0.00           
  --------------------------------------------------------------------------------------------------------

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1188 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 11:40:52,413 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 11:40:53,117 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 11:40:53,118 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-24 11:40:53,118 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 11:40:53,118 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 11:40:53,118 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/774b6697be89a71bef0a9703fba7771756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap -vvv -k none
2019-01-24 11:41:14,296 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 11:41:14,297 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.891340971


suricata-report-2019-01-24-T-11-41-14-01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap.txt - (17845 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/774b6697be89a71bef0a9703fba7771756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap -vvv -k none
elapsedtime:21.175945
stderr:
stdout:
24/1/2019 -- 11:40:53 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 11:40:53 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 11:40:53 - <Info> - CPUs/cores online: 1
24/1/2019 -- 11:40:53 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31879 and 'request-body-inspect-window' set to 16833 after randomization.
24/1/2019 -- 11:40:53 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33223 and 'response-body-inspect-window' set to 16751 after randomization.
24/1/2019 -- 11:40:53 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 11:40:53 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 11:40:53 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 11:40:53 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 11:40:53 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 11:40:53 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 11:40:53 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 11:40:53 - <Config> - Core dump size is unlimited.
24/1/2019 -- 11:40:53 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 11:40:53 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 11:40:53 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 11:40:53 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 11:40:53 - <Config> - stream "memcap": 33554432
24/1/2019 -- 11:40:53 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 11:40:53 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 11:40:53 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 11:40:53 - <Config> - stream."inline": disabled
24/1/2019 -- 11:40:53 - <Config> - stream "bypass": disabled
24/1/2019 -- 11:40:53 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly "toserver-chunk-size": 2456
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly "toclient-chunk-size": 2639
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 11:40:53 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 11:40:53 - <Config> - Delayed detect disabled
24/1/2019 -- 11:40:53 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 11:40:53 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 11:40:53 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 11:40:53 - <Config> - prefilter engines: MPM
24/1/2019 -- 11:40:53 - <Config> - IP reputation disabled
24/1/2019 -- 11:40:53 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 11:40:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/1/2019 -- 11:40:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/1/2019 -- 11:40:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/1/2019 -- 11:40:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/1/2019 -- 11:40:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/1/2019 -- 11:40:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/1/2019 -- 11:40:58 - <Config> - No rules loaded from ET-icmp.rules.
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/1/2019 -- 11:40:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/1/2019 -- 11:41:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/1/2019 -- 11:41:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/1/2019 -- 11:41:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/1/2019 -- 11:41:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/1/2019 -- 11:41:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/1/2019 -- 11:41:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/1/2019 -- 11:41:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/1/2019 -- 11:41:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/1/2019 -- 11:41:05 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 11:41:05 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/1/2019 -- 11:41:05 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 11:41:06 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 11:41:06 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/1/2019 -- 11:41:06 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 11:41:06 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/1/2019 -- 11:41:06 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/1/2019 -- 11:41:06 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/1/2019 -- 11:41:06 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/1/2019 -- 11:41:06 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/1/2019 -- 11:41:06 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 11:41:10 - <Perf> - Unique rule groups: 104
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/1/2019 -- 11:41:10 - <Perf> - Builtin MPM "other IP packet": 3
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_header": 10
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_header": 6
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_method": 5
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 11:41:10 - <Perf> - AppLayer MPM "toclient file_data": 7
24/1/2019 -- 11:41:12 - <Perf> - Registered 39590 rule profiling counters.
24/1/2019 -- 11:41:12 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 11:41:12 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 11:41:12 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 11:41:12 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/1/2019 -- 11:41:12 - <Info> - stats output device (regular) initialized: stats.log
24/1/2019 -- 11:41:12 - <Config> - AutoFP mode using "Hash" flow load balancer
24/1/2019 -- 11:41:12 - <Info> - reading pcap file /var/pcap/01242019.1140-2019-01-22-1st-run-Emotet-infection-with-Trickbot.pcap
24/1/2019 -

This file has been truncated. Go here to download in full.