Filename: oo.pcapng
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-base
Runtime: 248.726399899 seconds
Hash: 7b0834f6af36f1bcd2c87d2838f41239
Uploaded: 1542329997

Logfiles


packet_stats.log - (12119 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            43          2146099       38597200      16566289        712.4m   88.99
 IPv4      17             7          1837151       17237799      12584135         88.1m   11.01
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            43            66824       19048858        652436         28.1m   73.35
TMM_FLOWWORKER              IPv4      17             7           194704        7544132       1402876          9.8m   25.68
TMM_RECEIVEPCAPFILE         IPv4       6            39             2563           4078          2980        116.3k    0.30
TMM_RECEIVEPCAPFILE         IPv4      17             7             2704          11934          4199         29.4k    0.08
TMM_DECODEPCAPFILE          IPv4       6            39             2682          25070          4056        158.2k    0.41
TMM_DECODEPCAPFILE          IPv4      17             7             2768          48519          9555         66.9k    0.17

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            39             2856           9272          3657        142.6k  0.49  
flow                    IPv4      17             7             3177          33368         10803         75.6k  0.26  
stream                  IPv4       6            43             2569         470709         21091        906.9k  3.11  
app-layer               IPv4      17             7             2589          45304         17753        124.3k  0.43  
detect                  IPv4       6            43            45156       18234622        584081         25.1m  86.26 
detect                  IPv4      17             7           162731         608825        365327          2.6m  8.78  
tcp-prune               IPv4       6            43             2525          34059          4506        193.8k  0.67  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            47528          47528         47528         47.5k  9.24  
http                    IPv4      17             1           431637         431637        431637        431.6k  83.94 
tls                     IPv4       6             2             2785           4837          3811          7.6k  1.48  
tls                     IPv4      17             1             3023           3023          3023          3.0k  0.59  
dns                     IPv4      17             2             8751          15682         12216         24.4k  4.75  
Proto detect            IPv4       6             2             7316          13140         10228         20.5k
Proto detect            IPv4      17             5             4277          37468         15013         75.1k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           532915         532915        532915        532.9k  6.73  
LOGGER_UNIFIED2             IPv4       6             1           115982         115982        115982        116.0k  1.46  
LOGGER_JSON_ALERT           IPv4       6             1           114309         114309        114309        114.3k  1.44  
LOGGER_JSON_DNS             IPv4      17             2            62628        6882776       3472702          6.9m  87.67 
LOGGER_JSON_HTTP            IPv4       6             1           145454         145454        145454        145.5k  1.84  
LOGGER_JSON_TLS             IPv4       6             1            67824          67824         67824         67.8k  0.86  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            16             2695         570359        117796         1.9m  50.43 
payload                           IPv4      17             7            21121         226438         94106       658.7k  17.62 
stream                            IPv4       6            16             2629         430205         55407       886.5k  23.72 
http_uri                          IPv4       6             1            34873          34873         34873        34.9k  0.93  
http_request_line                 IPv4       6             1            12039          12039         12039        12.0k  0.32  
http_client_body                  IPv4       6             1             3930           3930          3930         3.9k  0.11  
http_header (request)             IPv4       6             1            71095          71095         71095        71.1k  1.90  
http_header (request trailer)     IPv4       6             1             2678           2678          2678         2.7k  0.07  
http_header_names (request)       IPv4       6             1            21978          21978         21978        22.0k  0.59  
http_accept (request)             IPv4       6             1            14451          14451         14451        14.5k  0.39  
http_referer (request)            IPv4       6             1             3291           3291          3291         3.3k  0.09  
http_content_len (request)        IPv4       6             1             7132           7132          7132         7.1k  0.19  
http_content_type (request)       IPv4       6             1             3739           3739          3739         3.7k  0.10  
http_protocol (request)           IPv4       6             1             6211           6211          6211         6.2k  0.17  
http_start (request)              IPv4       6             1            18409          18409         18409        18.4k  0.49  
http_raw_header (request)         IPv4       6             1            19966          19966         19966        20.0k  0.53  
http_method                       IPv4       6             1             6839           6839          6839         6.8k  0.18  
http_cookie (request)             IPv4       6             1             8087           8087          8087         8.1k  0.22  
http_raw_uri                      IPv4       6             1             5688           5688          5688         5.7k  0.15  
http_user_agent                   IPv4       6             1            11709          11709         11709        11.7k  0.31  
http_host                         IPv4       6             1             9790           9790          9790         9.8k  0.26  
dns_query                         IPv4      17             1            17426          17426         17426        17.4k  0.47  
tls_sni                           IPv4       6             4             3081          10105          5007        20.0k  0.54  
tls_cert_issuer                   IPv4       6             1             3008           3008          3008         3.0k  0.08  
tls_cert_subject                  IPv4       6             1             2615           2615          2615         2.6k  0.07  
tls_cert_serial                   IPv4       6             1             2636           2636          2636         2.6k  0.07  
Total                             IPv4                    65                                         57502         3.7m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8             3936           8009          6587         52.7k  0.17  
PROF_DETECT_IPONLY          IPv4      17             7             3401         101793         21788        152.5k  0.48  
PROF_DETECT_RULES           IPv4       6            43             2543       17680746        441047         19.0m  59.56 
PROF_DETECT_RULES           IPv4      17             7            38645         293872        119968        839.8k  2.64  
PROF_DETECT_STATEFUL_START    IPv4       6             3             2943        1127062        377739          1.1m  3.56  
PROF_DETECT_STATEFUL_CONT    IPv4       6            43             2551          15284          4469        192.2k  0.60  
PROF_DETECT_STATEFUL_CONT    IPv4      17             7             2617          54378         11502         80.5k  0.25  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            17             2570           3247          2781         47.3k  0.15  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             3420           3522          3471          6.9k  0.02  
PROF_DETECT_PREFILTER       IPv4       6            43             7928         736651         93580          4.0m  12.64 
PROF_DETECT_PREFILTER       IPv4      17             7            51324         254170        131172        918.2k  2.88  
PROF_DETECT_PF_PAYLOAD      IPv4       6            16            24688         707458        181089          2.9m  9.10  
PROF_DETECT_PF_PAYLOAD      IPv4      17             7            26218         232310         99468        696.3k  2.19  
PROF_DETECT_PF_TX           IPv4       6            17             2798         315809         24445        415.6k  1.31  
PROF_DETECT_PF_TX           IPv4      17             1            23904          23904         23904         23.9k  0.08  
PROF_DETECT_PF_SORT1        IPv4       6            11             2609           7403          3653         40.2k  0.13  
PROF_DETECT_PF_SORT1        IPv4      17             7             2980           8955          4129         28.9k  0.09  
PROF_DETECT_PF_SORT2        IPv4       6            43             2524          73657          6053        260.3k  0.82  
PROF_DETECT_PF_SORT2        IPv4      17             7             2957          25650         10248         71.7k  0.23  
PROF_DETECT_NONMPMLIST      IPv4       6            43             2613           8978          3246        139.6k  0.44  
PROF_DETECT_NONMPMLIST      IPv4      17             7             2918          10634          5553         38.9k  0.12  
PROF_DETECT_ALERT           IPv4       6            43             2530          33366          3654        157.2k  0.49  
PROF_DETECT_ALERT           IPv4      17             7             2540          11578          4108         28.8k  0.09  
PROF_DETECT_CLEANUP         IPv4       6            43             2525          16997          3320        142.8k  0.45  
PROF_DETECT_CLEANUP         IPv4      17             7             3037           4966          3836         26.9k  0.08  
PROF_DETECT_GETSGH          IPv4       6            43             2571          68369          6625        284.9k  0.89  
PROF_DETECT_GETSGH          IPv4      17             7             5457          74638         25337        177.4k  0.56  


suricata-4.0.0-etpro-base-perf.txt-2018-11-16-T-01-04-06-11162018.0059-oo.pcapng.txt - (15063 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
  --------------------------------------------------------------------------
  Date: 11/16/2018 -- 01:04:06. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2810816      1        2        15768400     86.84  1        0        15768400    15768400.00 0.00        15768400.00
  2        2827279      1        5        413987       2.28   1        0        413987      413987.00   0.00        413987.00  
  3        2816895      1        2        91184        0.50   1        0        91184       91184.00    0.00        91184.00   
  4        2021101      1        2        82751        0.46   1        0        82751       82751.00    0.00        82751.00   
  5        2829796      1        1        75576        0.42   1        1        75576       75576.00    75576.00    0.00       
  6        2024373      1        2        58196        0.32   1        0        58196       58196.00    0.00        58196.00   
  7        2809547      1        5        51195        0.28   1        0        51195       51195.00    0.00        51195.00   
  8        2009702      1        5        60029        0.33   4        0        49655       15007.25    0.00        15007.25   
  9        2022008      1        3        47915        0.26   1        0        47915       47915.00    0.00        47915.00   
  10       2819706      1        3        45879        0.25   1        0        45879       45879.00    0.00        45879.00   
  11       2023083      1        2        36855        0.20   1        0        36855       36855.00    0.00        36855.00   
  12       2807141      1        2        36484        0.20   1        0        36484       36484.00    0.00        36484.00   
  13       2806906      1        2        32171        0.18   1        0        32171       32171.00    0.00        32171.00   
  14       2809670      1        3        32101        0.18   1        0        32101       32101.00    0.00        32101.00   
  15       2809356      1        2        31839        0.18   1        0        31839       31839.00    0.00        31839.00   
  16       2809682      1        5        30877        0.17   1        0        30877       30877.00    0.00        30877.00   
  17       2821615      1        2        30853        0.17   1        0        30853       30853.00    0.00        30853.00   
  18       2012286      1        5        30792        0.17   1        0        30792       30792.00    0.00        30792.00   
  19       2014029      1        3        30656        0.17   1        0        30656       30656.00    0.00        30656.00   
  20       2820665      1        2        30035        0.17   1        0        30035       30035.00    0.00        30035.00   
  21       2812034      1        2        29789        0.16   1        0        29789       29789.00    0.00        29789.00   
  22       2016223      1        10       29666        0.16   1        0        29666       29666.00    0.00        29666.00   
  23       2814990      1        2        29288        0.16   1        0        29288       29288.00    0.00        29288.00   
  24       2816356      1        2        29091        0.16   1        0        29091       29091.00    0.00        29091.00   
  25       2805260      1        4        29048        0.16   1        0        29048       29048.00    0.00        29048.00   
  26       2020705      1        4        28827        0.16   1        0        28827       28827.00    0.00        28827.00   
  27       2016819      1        5        28372        0.16   1        0        28372       28372.00    0.00        28372.00   
  28       2022689      1        2        27660        0.15   1        0        27660       27660.00    0.00        27660.00   
  29       2014701      1        12       37112        0.20   4        0        27359       9278.00     0.00        9278.00    
  30       2012287      1        4        26648        0.15   1        0        26648       26648.00    0.00        26648.00   
  31       2022543      1        1        23683        0.13   1        0        23683       23683.00    0.00        23683.00   
  32       2020785      1        3        23600        0.13   1        0        23600       23600.00    0.00        23600.00   
  33       2020683      1        2        22983        0.13   1        0        22983       22983.00    0.00        22983.00   
  34       2826256      1        2        22893        0.13   1        0        22893       22893.00    0.00        22893.00   
  35       2017552      1        6        58559        0.32   3        0        22738       19519.67    0.00        19519.67   
  36       2828008      1        2        22703        0.13   1        0        22703       22703.00    0.00        22703.00   
  37       2810912      1        2        22640        0.12   1        0        22640       22640.00    0.00        22640.00   
  38       2022502      1        4        22388        0.12   1        0        22388       22388.00    0.00        22388.00   
  39       2816165      1        5        22217        0.12   1        0        22217       22217.00    0.00        22217.00   
  40       2806882      1        2        21131        0.12   1        0        21131       21131.00    0.00        21131.00   
  41       2804626      1        9        20742        0.11   1        0        20742       20742.00    0.00        20742.00   
  42       2803760      1        3        20135        0.11   1        0        20135       20135.00    0.00        20135.00   
  43       2826281      1        2        19754        0.11   1        0        19754       19754.00    0.00        19754.00   
  44       2811542      1        1        22688        0.12   2        0        18296       11344.00    0.00        11344.00   
  45       2014703      1        9        25824        0.14   4        0        15687       6456.00     0.00        6456.00    
  46       2815451      1        2        28372        0.16   2        0        15685       14186.00    0.00        14186.00   
  47       2014702      1        9        24088        0.13   4        0        14739       6022.00     0.00        6022.00    
  48       2008120      1        4        11695        0.06   3        0        5086        3898.33     0.00        3898.33    
  49       2025200      1        1        9700         0.05   2        0        5049        4850.00     0.00        4850.00    
  50       2001330      1        8        13957        0.08   4        0        4655        3489.25     0.00        3489.25    
  51       2823788      1        4        4590         0.03   1        0        4590        4590.00     0.00        4590.00    
  52       2023627      1        3        7354         0.04   2        0        4260        3677.00     0.00        3677.00    
  53       2009387      1        4        8141         0.04   2        0        4168        4070.50     0.00        4070.50    
  54       2810453      1        3        4159         0.02   1        0        4159        4159.00     0.00        4159.00    
  55       2102190      1        5        16397        0.09   5        0        4023        3279.40     0.00        3279.40    
  56       2019809      1        2        7778         0.04   2        0        3956        3889.00     0.00        3889.00    
  57       2023625      1        3        3916         0.02   1        0        3916        3916.00     0.00        3916.00    
  58       2008118      1        3        7092         0.04   2        0        3914        3546.00     0.00        3546.00    
  59       2809256      1        3        3905         0.02   1        0        3905        3905.00     0.00        3905.00    
  60       2824993      1        1        6594         0.04   2        0        3879        3297.00     0.00        3297.00    
  61       2013739      1        15       15855        0.09   5        0        3812        3171.00     0.00        3171.00    
  62       2821129      1        2        3796         0.02   1        0        3796        3796.00     0.00        3796.00    
  63       2009243      1        2        7076         0.04   2        0        3746        3538.00     0.00        3538.00    
  64       2023622      1        3        18490        0.10   6        0        3717        3081.67     0.00        3081.67    
  65       2828876      1        1        29693        0.16   10       0        3686        2969.30     0.00        2969.30    
  66       2022547      1        1        6279         0.03   2        0        3684        3139.50     0.00        3139.50    
  67       2015986      1        5        6997         0.04   2        0        3658        3498.50     0.00        3498.50    
  68       2017935      1        3        12154        0.07   4        0        3657        3038.50     0.00        3038.50    
  69       2821018      1        1        3641         0.02   1        0        3641        3641.00     0.00        3641.00    
  70       2802823      1        1        3618         0.02   1        0        3618        3618.00     0.00        3618.00    
  71       2008119      1        3        3590         0.02   1        0        3590        3590.00     0.00        3590.00    
  72       2022506      1        3        3553         0.02   1        0        3553        3553.00     0.00        3553.00    
  73       2023626      1        3        9366         0.05   3        0        3530        3122.00     0.00        3122.00    
  74       2808175      1        1        3502         0.02   1        0        3502        3502.00     0.00        3502.00    
  75       2823966      1        1        6756         0.04   2        0        3501        3378.00     0.00        3378.00    
  76       2010140      1        7        6789         0.04   2        0        3490        3394.50     0.00        3394.50    
  77       2103158      1        6        6199         0.03   2        0        3475        3099.50     0.00        3099.50    
  78       2808577      1        5        9594         0.05   3        0        3457        3198.00     0.00        3198.00    
  79       2021976      1        2        3442         0.02   1        0        3442        3442.00     0.00        3442.00    
  80       2023624      1        3        6272         0.03   2        0        3431        3136.00     0.00        3136.00    
  81       2806561      1        5        3430         0.02   1        0        3430        3430.00     0.00        3430.00    
  82       2008420      1        4        6663         0.04   2        0        3421        3331.50     0.00        3331.50    
  83       2811034      1        1        3419         0.02   1        0        3419        3419.00     0.00        3419.00    
  84       2102523      1        8        6608         0.04   2        0        3403        3304.00     0.00        3304.00    
  85       2103159      1        4        3398         0.02   1        0        3398        3398.00     0.00        3398.00    
  86       2809487      1        2        6527         0.04   2        0        3297        3263.50     0.00        3263.50    
  87       2018558      1        5        3294         0.02   1        0        3294        3294.00     0.00        3294.00    
  88       2807546      1        6        3290         0.02   1        0        3290        3290.00     0.00        3290.00    
  89       2809132      1        1        3242         0.02   1        0        3242        3242.00     0.00        3242.00    
  90       2018281      1        4        3209         0.02   1        0        3209        3209.00     0.00        3209.00    
  91       2804586      1        2        3143         0.02   1        0        3143        3143.00     0.00        3143.00    
  92       2010143      1        3        6104         0.03   2        0        3129        3052.00     0.00        3052.00    
  93       2021978      1        6        3100         0.02   1        0        3100        3100.00     0.00        3100.00    
  94       2810792      1        5        3080         0.02   1        0        3080        3080.00     0.00        3080.00    
  95       2023615      1        3        5872         0.03   2        0        3076        2936.00     0.00        2936.00    
  96       2102523      1        8        5661         0.03   2        0        3030        2830.50     0.00        2830.50    
  97       2023618      1        3        3024         0.02   1        0        3024        3024.00     0.00        3024.00    
  98       2023617      1        3        5621         0.03   2        0        3022        2810.50     0.00        2810.50    
  99       2103441      1        2        3015         0.02   1        0        3015        3015.00     0.00        3015.00    
  100      2103238      1        4        5761         0.03   2        0        2969        2880.50     0.00        2880.50    
  101      2010142      1        4        5708         0.03   2        0        2910        2854.00     0.00        2854.00    
  102      2008306      1        3        5526         0.03   2        0        2909        2763.00     0.00        2763.00    
  103      2023614      1        3        8630         0.05   3        0        2903        2876.67     0.00        2876.67    
  104      2013075      1        8        2897         0.02   1        0        2897        2897.00     0.00        2897.00    
  105      2023612      1        4        5491         0.03   2        0        2873        2745.50     0.00        2745.50    
  106      2023620      1        3        2868         0.02   1        0        2868        2868.00     0.00        2868.00    
  107      2024777      1        2        5470         0.03   2        0        2864        2735.00     0.00        2735.00    
  108      2023621      1        4        2855         0.02   1        0        2855        2855.00     0.00        2855.00    
  109      2023623      1        3        2844         0.02   1        0        2844        2844.00     0.00        2844.00    
  110      2023616      1        3        5650         0.03   2        0        2841        2825.00     0.00        2825.00    
  111      2822838      1        2        5223         0.03   2        0        2615        2611.50     0.00        2611.50    
  112      2023619      1        3        2605         0.01   1        0        2605        2605.00     0.00        2605.00    
  113      2810793      1        5        2573         0.01   1        0        2573        2573.00     0.00        2573.00    
  114      2805442      1        2        2571         0.01   1        0        2571        2571.00     0.00        2571.00    


suricata-report-2018-11-16-T-01-04-06-11162018.0059-oo.pcapng.txt - (16555 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-base.yaml -l /var/www/html/7b0834f6af36f1bcd2c87d2838f41239c868f2786383154b95a80e4733a7b823 -r /var/pcap/11162018.0059-oo.pcapng -vvv -k none
elapsedtime:247.523405
stderr:
stdout:
16/11/2018 -- 00:59:58 - <Info> - Configuration node 'rule-files' redefined.
16/11/2018 -- 00:59:58 - <Notice> - This is Suricata version 4.0.0 RELEASE
16/11/2018 -- 00:59:58 - <Info> - CPUs/cores online: 1
16/11/2018 -- 00:59:58 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31578 and 'request-body-inspect-window' set to 15963 after randomization.
16/11/2018 -- 00:59:58 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33177 and 'response-body-inspect-window' set to 16261 after randomization.
16/11/2018 -- 00:59:58 - <Config> - DNS request flood protection level: 500
16/11/2018 -- 00:59:58 - <Config> - DNS per flow memcap (state-memcap): 524288
16/11/2018 -- 00:59:58 - <Config> - DNS global memcap: 16777216
16/11/2018 -- 00:59:58 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
16/11/2018 -- 00:59:58 - <Config> - preallocated 1000 hosts of size 136
16/11/2018 -- 00:59:58 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
16/11/2018 -- 00:59:58 - <Config> - using magic-file /usr/share/file/magic
16/11/2018 -- 00:59:58 - <Config> - Core dump size is unlimited.
16/11/2018 -- 00:59:58 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
16/11/2018 -- 00:59:58 - <Config> - preallocated 1000 defrag trackers of size 168
16/11/2018 -- 00:59:58 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
16/11/2018 -- 00:59:58 - <Config> - stream "prealloc-sessions": 2048 (per thread)
16/11/2018 -- 00:59:58 - <Config> - stream "memcap": 33554432
16/11/2018 -- 00:59:58 - <Config> - stream "midstream" session pickups: disabled
16/11/2018 -- 00:59:58 - <Config> - stream "async-oneside": disabled
16/11/2018 -- 00:59:58 - <Config> - stream "checksum-validation": disabled
16/11/2018 -- 00:59:58 - <Config> - stream."inline": disabled
16/11/2018 -- 00:59:58 - <Config> - stream "bypass": disabled
16/11/2018 -- 00:59:58 - <Config> - stream "max-synack-queued": 5
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly "memcap": 134217728
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly "depth": 0
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly "toserver-chunk-size": 2512
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly "toclient-chunk-size": 2536
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly.raw: enabled
16/11/2018 -- 00:59:58 - <Config> - stream.reassembly "segment-prealloc": 2048
16/11/2018 -- 00:59:58 - <Config> - Delayed detect disabled
16/11/2018 -- 00:59:58 - <Config> - pattern matchers: MPM: ac, SPM: bm
16/11/2018 -- 00:59:58 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
16/11/2018 -- 00:59:58 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
16/11/2018 -- 00:59:58 - <Config> - prefilter engines: MPM
16/11/2018 -- 00:59:58 - <Config> - IP reputation disabled
16/11/2018 -- 00:59:58 - <Perf> - Registered 148 keyword profiling counters.
16/11/2018 -- 00:59:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
16/11/2018 -- 00:59:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
16/11/2018 -- 00:59:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
16/11/2018 -- 01:00:05 - <Config> - No rules loaded from ET-icmp.rules.
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
16/11/2018 -- 01:00:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
16/11/2018 -- 01:00:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
16/11/2018 -- 01:00:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
16/11/2018 -- 01:00:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
16/11/2018 -- 01:00:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
16/11/2018 -- 01:00:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
16/11/2018 -- 01:00:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
16/11/2018 -- 01:02:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
16/11/2018 -- 01:02:42 - <Config> - No rules loaded from local.rules.
16/11/2018 -- 01:02:42 - <Info> - 31 rule files processed. 32260 rules successfully loaded, 0 rules failed
16/11/2018 -- 01:02:44 - <Info> - Threshold config parsed: 0 rule(s) found
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tcp-packet
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tcp-stream
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for udp-packet
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for other-ip
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_uri
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_request_line
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_client_body
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_response_line
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_header
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_header
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_header_names
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_header_names
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_accept
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_accept_enc
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_accept_lang
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_referer
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_connection
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_content_len
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_content_len
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_content_type
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_content_type
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_protocol
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_protocol
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_start
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_start
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_raw_header
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_raw_header
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_method
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_cookie
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_cookie
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_raw_uri
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_user_agent
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_host
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_raw_host
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_stat_msg
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_stat_code
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for dns_query
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tls_sni
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tls_cert_issuer
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tls_cert_subject
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for tls_cert_serial
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for dce_stub_data
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for dce_stub_data
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for ssh_protocol
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for ssh_protocol
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for ssh_software
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for ssh_software
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for file_data
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for file_data
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_request_line
16/11/2018 -- 01:02:44 - <Perf> - using shared mpm ctx' for http_response_line
16/11/2018 -- 01:02:44 - <Info> - 32265 signatures processed. 2 are IP-only rules, 14352 are inspecting packet payload, 21545 inspect application layer, 0 are decoder event only
16/11/2018 -- 01:02:44 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
16/11/2018 -- 01:02:46 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
16/11/2018 -- 01:02:46 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
16/11/2018 -- 01:02:46 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
16/11/2018 -- 01:02:47 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
16/11/2018 -- 01:02:48 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
16/11/2018 -- 01:02:48 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
16/11/2018 -- 01:02:58 - <Perf> - Unique rule groups: 102
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toserver TCP packet": 35
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toclient TCP packet": 17
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toserver TCP stream": 33
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toclient TCP stream": 19
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toserver UDP packet": 27
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "toclient UDP packet": 15
16/11/2018 -- 01:02:58 - <Perf> - Builtin MPM "other IP packet": 3
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_uri": 14
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_request_line": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_client_body": 5
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_response_line": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_header": 10
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_header": 6
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_header_names": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_accept": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_referer": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_content_len": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_content_type": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_content_type": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_protocol": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_start": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_method": 5
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_cookie": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_cookie": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver http_host": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver dns_query": 4
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver tls_sni": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toserver file_data": 1
16/11/2018 -- 01:02:58 - <Perf> - AppLayer MPM "toclient file_data": 7
16/11/2018 -- 01:04:05 - <Perf> - Registered 32265 rule profiling counters.
16/11/2018 -- 01:04:05 - <Info> - fast output device (regular) initialized: alert
16/11/2018 -- 01:04:05 - <Info> - eve-log output device (regular) initialized: eve.json
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'alert'
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'http'
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'dns'
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'tls'
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'files'
16/11/2018 -- 01:04:05 - <Config> - enabling 'eve-log' module 'ssh'
16/11/2018 -- 01:04:05 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
16/11/2018 -- 01:04:05 - <Info> - stats output device (regular) initialized: stats.log
16/11/2018 -- 01:04:05 - <Config> - AutoFP mode using "Hash" flow load balancer
16/11/2018 -- 01:04:05 - <Info> - reading pcap file /var/pcap/11162018.0059-oo.pcapng
16/11/2018 -- 01:04:05 - <Config> - using 1 flow manager threads
16/11/2018 -- 01:04:05 - <Config> - using 1 flow recycler threads
16/11/2018 -- 01:04:05 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
16/11/2018 -- 01:04:05 - <Info> - pcap file end of file reached (pcap err code 0)
16/11/2018 -- 01:04:05 - <Notice> - Signal Received.  Stopping engine.
16/11/2018 -- 01:04:05 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
16/11/2018 -- 01:04:05 - <Info> - time elapsed 0.248s
16/11/2018 -- 01:04:06 - <Perf> - 8 flows processed
16/11/2018 -- 01:04:06 - <Notice> - Pcap-file module read 54 packets, 7382 bytes
16/11/2018 -- 01:04:06 - <Perf> - AutoFP - Total flow handler queues - 1
16/11/2018 -- 01:04:06 - <Info> - Alerts: 1
16/11/2018 -- 01:04:06 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
16/11/2018 -- 01:04:06 - <Perf> - Done dumping profiling data.
16/11/2018 -- 01:04:06 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
16/11/2018 -- 01:04:06 - <Perf> - Dumping profiling data for 32265 rules.
16/11/2018 -- 01:04:06 - <Perf> - Done dumping profiling data.
16/11/2018 -- 01:0

This file has been truncated. Go here to download in full.


stats.log - (2752 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
------------------------------------------------------------------------------------
Date: 11/16/2018 -- 01:04:06 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 54
decoder.bytes                              | Total                     | 7382
decoder.ipv4                               | Total                     | 46
decoder.ethernet                           | Total                     | 54
decoder.tcp                                | Total                     | 39
decoder.udp                                | Total                     | 7
decoder.avg_pkt_size                       | Total                     | 136
decoder.max_pkt_size                       | Total                     | 1312
flow.tcp                                   | Total                     | 4
flow.udp                                   | Total                     | 4
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
detect.alert                               | Total                     | 1
detect.mpm_list                            | Total                     | 3
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.tx.http                          | Total                     | 1
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 3
flow.spare                                 | Total                     | 9995
flow_mgr.flows_checked                     | Total                     | 4
flow_mgr.flows_notimeout                   | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65532
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075168


eve.json - (1626 bytes) - download
1
2
3
4
5
{"timestamp":"2018-02-25T03:53:53.407459+0000","flow_id":801832600418211,"pcap_cnt":7,"event_type":"dns","src_ip":"192.168.1.4","src_port":58282,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41417,"rrname":"support.emergingthreats.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-25T03:53:53.431995+0000","flow_id":801832600418211,"pcap_cnt":8,"event_type":"dns","src_ip":"192.168.1.1","src_port":53,"dest_ip":"192.168.1.4","dest_port":58282,"proto":"UDP","dns":{"type":"answer","id":41417,"rcode":"NOERROR","rrname":"support.emergingthreats.net","rrtype":"A","ttl":60,"rdata":"54.87.58.224"}}
{"timestamp":"2018-02-25T03:53:53.802916+0000","flow_id":1909981407451334,"pcap_cnt":21,"event_type":"tls","src_ip":"192.168.1.4","src_port":49441,"dest_ip":"54.87.58.224","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}
{"timestamp":"2018-02-25T03:54:01.197218+0000","flow_id":1626455583941197,"pcap_cnt":44,"event_type":"alert","src_ip":"192.168.1.134","src_port":37792,"dest_ip":"192.168.1.4","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2829796,"rev":1,"signature":"ETPRO TROJAN OilRig OopsIE CnC Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-02-25T03:54:03.683299+0000","flow_id":1626455583941197,"event_type":"http","src_ip":"192.168.1.134","src_port":37792,"dest_ip":"192.168.1.4","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.msoffice365cdn.com","url":"\/chk?5269636B20456E676C6973682FF57484E2D445051434F4E424C314E38","http_user_agent":"Mozilla\/4.0"}}


unified2.alert.1542330245 - (392 bytes) - download
1
2
3
4
5
6
7
8
4Z’3Yb+-äÀ¨†À¨“ PDZ’3YZ’3Yb(E6À¨†À¨“ PPsGET /chk?5269636B20456E676C6973682FF57484E2D445051434F4E424C314E38 HTTP/1.1
Host: www.msoffice365cdn.com
User-Agent: Mozilla/4.0
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Connection: Keep-Alive


keyword_perf.log - (7320 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/16/2018 -- 01:04:06
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             149129          39              39              15564           3823.00         3823.00         0.00           
  content          305040          72              37              9263            4236.00         4473.00         3985.00        
  pcre             129543          6               1               40238           21590.00        19228.00        22063.00       
  byte_test        43362           9               4               16369           4818.00         6794.00         3236.00        
  byte_jump        8653            1               0               8653            8653.00         0.00            8653.00        
  isdataat         3306            1               0               3306            3306.00         0.00            3306.00        
  urilen           7530            2               1               3973            3765.00         3973.00         3557.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             149129          39              39              15564           3823.00         3823.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          58429           13              8               9263            4494.00         4968.00         3736.00        
  pcre             10070           1               0               10070           10070.00        0.00            10070.00       
  byte_test        43362           9               4               16369           4818.00         6794.00         3236.00        
  byte_jump        8653            1               0               8653            8653.00         0.00            8653.00        
  isdataat         3306            1               0               3306            3306.00         0.00            3306.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          45123           11              2               5451            4102.00         3893.00         4148.00        
  pcre             96092           4               1               40238           24023.00        19228.00        25621.00       
  urilen           7530            2               1               3973            3765.00         3973.00         3557.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          155337          36              19              7325            4314.00         4487.00         4121.00        
  pcre             23381           1               0               23381           23381.00        0.00            23381.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12648           3               2               5158            4216.00         4308.00         4032.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9939            3               1               3551            3313.00         3551.00         3194.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23564           6               5               4828            3927.00         4113.00         2998.00        


IDSDeathBlossom.py.log - (1146 bytes) - download
1
2
3
4
5
6
7
8
2018-11-16 00:59:57,808 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-16 00:59:58,694 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-16 00:59:58,694 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-base
2018-11-16 00:59:58,695 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-16 00:59:58,695 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-16 00:59:58,695 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-base.yaml -l /var/www/html/7b0834f6af36f1bcd2c87d2838f41239c868f2786383154b95a80e4733a7b823 -r /var/pcap/11162018.0059-oo.pcapng -vvv -k none
2018-11-16 01:04:06,222 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-16 01:04:06,222 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 248.423278093


suricata-4.0.0-etpro-base-alert-2018-11-16-T-01-04-06-11162018.0059-oo.pcapng.txt - (197 bytes) - download
1
02/25/2018-03:54:01.197218  [**] [1:2829796:1] ETPRO TROJAN OilRig OopsIE CnC Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.134:37792 -> 192.168.1.4:80