Filename: 3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 24.169148922 seconds
Hash: 84de023428e25aac77fba9d8feb664c8
Uploaded: 1564061109

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2019-07-25-T-13-25-33-07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap.txt - (19286 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 7/25/2019 -- 13:25:33. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2816909      1        2        532544       4.35   1        0        532544      532544.00   0.00        532544.00  
  2        2815817      1        5        472860       3.86   1        0        472860      472860.00   0.00        472860.00  
  3        2821615      1        2        462150       3.78   1        0        462150      462150.00   0.00        462150.00  
  4        2022082      1        3        455978       3.73   1        1        455978      455978.00   455978.00   0.00       
  5        2826256      1        2        453912       3.71   1        0        453912      453912.00   0.00        453912.00  
  6        2019230      1        2        446752       3.65   2        0        441032      223376.00   0.00        223376.00  
  7        2816382      1        1        424716       3.47   1        0        424716      424716.00   0.00        424716.00  
  8        2805348      1        4        1188614      9.71   13       0        140752      91431.85    0.00        91431.85   
  9        2823676      1        2        108458       0.89   1        1        108458      108458.00   108458.00   0.00       
  10       2827279      1        5        107478       0.88   1        0        107478      107478.00   0.00        107478.00  
  11       2025064      1        5        104276       0.85   1        0        104276      104276.00   0.00        104276.00  
  12       2827505      1        2        103426       0.85   1        0        103426      103426.00   0.00        103426.00  
  13       2816910      1        2        95902        0.78   1        0        95902       95902.00    0.00        95902.00   
  14       2816940      1        2        95402        0.78   1        0        95402       95402.00    0.00        95402.00   
  15       2828008      1        2        95248        0.78   1        0        95248       95248.00    0.00        95248.00   
  16       2023583      1        4        69878        0.57   1        0        69878       69878.00    0.00        69878.00   
  17       2820851      1        5        66230        0.54   1        0        66230       66230.00    0.00        66230.00   
  18       2023916      1        2        59742        0.49   1        0        59742       59742.00    0.00        59742.00   
  19       2816328      1        5        59692        0.49   1        0        59692       59692.00    0.00        59692.00   
  20       2823166      1        3        58644        0.48   1        0        58644       58644.00    0.00        58644.00   
  21       2024771      1        1        57170        0.47   1        0        57170       57170.00    0.00        57170.00   
  22       2816165      1        5        56536        0.46   1        0        56536       56536.00    0.00        56536.00   
  23       2816327      1        4        56164        0.46   1        0        56164       56164.00    0.00        56164.00   
  24       2830124      1        1        55852        0.46   1        0        55852       55852.00    0.00        55852.00   
  25       2816525      1        10       54738        0.45   1        0        54738       54738.00    0.00        54738.00   
  26       2009702      1        5        97352        0.80   4        0        53666       24338.00    0.00        24338.00   
  27       2014701      1        12       107334       0.88   4        0        51450       26833.50    0.00        26833.50   
  28       2022914      1        1        50574        0.41   1        0        50574       50574.00    0.00        50574.00   
  29       2816929      1        4        49450        0.40   1        0        49450       49450.00    0.00        49450.00   
  30       2828123      1        2        47726        0.39   1        0        47726       47726.00    0.00        47726.00   
  31       2012612      1        16       47570        0.39   1        0        47570       47570.00    0.00        47570.00   
  32       2816526      1        13       46578        0.38   1        0        46578       46578.00    0.00        46578.00   
  33       2829644      1        1        46452        0.38   1        0        46452       46452.00    0.00        46452.00   
  34       2816928      1        3        46320        0.38   1        0        46320       46320.00    0.00        46320.00   
  35       2816922      1        5        46210        0.38   1        0        46210       46210.00    0.00        46210.00   
  36       2012707      1        5        46198        0.38   1        0        46198       46198.00    0.00        46198.00   
  37       2025162      1        2        45984        0.38   1        0        45984       45984.00    0.00        45984.00   
  38       2018359      1        3        45532        0.37   1        0        45532       45532.00    0.00        45532.00   
  39       2816924      1        4        44998        0.37   1        0        44998       44998.00    0.00        44998.00   
  40       2816925      1        3        44852        0.37   1        0        44852       44852.00    0.00        44852.00   
  41       2816927      1        3        44560        0.36   1        0        44560       44560.00    0.00        44560.00   
  42       2819673      1        4        44224        0.36   1        0        44224       44224.00    0.00        44224.00   
  43       2816931      1        3        44170        0.36   1        0        44170       44170.00    0.00        44170.00   
  44       2816930      1        4        43640        0.36   1        0        43640       43640.00    0.00        43640.00   
  45       2022543      1        1        69556        0.57   2        0        43326       34778.00    0.00        34778.00   
  46       2010140      1        7        427034       3.49   52       0        41868       8212.19     0.00        8212.19    
  47       2020771      1        2        39912        0.33   1        0        39912       39912.00    0.00        39912.00   
  48       2804626      1        9        39822        0.33   1        0        39822       39822.00    0.00        39822.00   
  49       2830035      1        2        37374        0.31   1        0        37374       37374.00    0.00        37374.00   
  50       2829607      1        1        37370        0.31   1        0        37370       37370.00    0.00        37370.00   
  51       2828190      1        2        36348        0.30   1        0        36348       36348.00    0.00        36348.00   
  52       2814229      1        2        36310        0.30   1        0        36310       36310.00    0.00        36310.00   
  53       2809267      1        8        36206        0.30   1        0        36206       36206.00    0.00        36206.00   
  54       2816857      1        2        35928        0.29   1        0        35928       35928.00    0.00        35928.00   
  55       2803760      1        3        61656        0.50   2        0        35220       30828.00    0.00        30828.00   
  56       2808852      1        4        34864        0.28   1        0        34864       34864.00    0.00        34864.00   
  57       2017552      1        6        82644        0.68   3        0        34430       27548.00    0.00        27548.00   
  58       2808851      1        4        34102        0.28   1        0        34102       34102.00    0.00        34102.00   
  59       2014702      1        9        68210        0.56   4        0        33836       17052.50    0.00        17052.50   
  60       2014703      1        9        66458        0.54   4        0        31308       16614.50    0.00        16614.50   
  61       2100540      1        12       34480        0.28   2        0        29544       17240.00    0.00        17240.00   
  62       2023625      1        3        258218       2.11   41       0        29508       6298.00     0.00        6298.00    
  63       2013382      1        3        28244        0.23   1        0        28244       28244.00    0.00        28244.00   
  64       2020776      1        2        27968        0.23   1        0        27968       27968.00    0.00        27968.00   
  65       2022918      1        2        27306        0.22   1        1        27306       27306.00    27306.00    0.00       
  66       2826281      1        2        53942        0.44   2        0        27212       26971.00    0.00        26971.00   
  67       2016537      1        2        51998        0.42   2        0        27130       25999.00    0.00        25999.00   
  68       2023624      1        3        249512       2.04   48       0        26008       5198.17     0.00        5198.17    
  69       2811544      1        1        30402        0.25   2        0        25396       15201.00    0.00        15201.00   
  70       2811577      1        2        30098        0.25   2        0        24452       15049.00    0.00        15049.00   
  71       2013739      1        15       257810       2.11   50       0        20246       5156.20     0.00        5156.20    
  72       2019010      1        3        77650        0.63   13       0        18162       5973.08     0.00        5973.08    
  73       2805211      1        1        15778        0.13   1        0        15778       15778.00    0.00        15778.00   
  74       2828876      1        1        45208        0.37   7        0        12350       6458.29     0.00        6458.29    
  75       2019016      1        3        85612        0.70   17       0        9682        5036.00     0.00        5036.00    
  76       2025200      1        1        24472        0.20   4        0        8354        6118.00     0.00        6118.00    
  77       2810793      1        5        8146         0.07   1        0        8146        8146.00     0.00        8146.00    
  78       2010143      1        3        255566       2.09   52       0        8106        4914.73     0.00        4914.73    
  79       2804586      1        2        8058         0.07   1        0        8058        8058.00     0.00        8058.00    
  80       2008116      1        4        86436        0.71   17       0        8008        5084.47     0.00        5084.47    
  81       2019011      1        3        86434        0.71   17       0        7538        5084.35     0.00        5084.35    
  82       2009243      1        2        64710        0.53   12       0        7386        5392.50     0.00        5392.50    
  83       2019017      1        3        65020        0.53   13       0        7322        5001.54     0.00        5001.54    
  84       2021702      1        1        13290        0.11   2        0        7256        6645.00     0.00        6645.00    
  85       2100518      1        8        85718        0.70   17       0        7102        5042.24     0.00        5042.24    
  86       2810792      1        5        7090         0.06   1        0        7090        7090.00     0.00        7090.00    
  87       2008420      1        4        12528        0.10   2        0        7078        6264.00     0.00        6264.00    
  88       2023627      1        3        187108       1.53   38       0        7052        4923.89     0.00        4923.89    
  89       2008120      1        4        264318       2.16   54       0        6844        4894.78     0.00        4894.78    
  90       2023623      1        3        161808       1.32   34       0        6712        4759.06     0.00        4759.06    
  91       2009387      1        4        6622         0.05   1        0        6622        6622.00     0.00        6622.00    
  92       2017935      1        3        12996        0.11   2        0        6614        6498.00     0.00        6498.00    
  93       2809487      1        2        11826        0.10   2        0        6586        5913.00     0.00        5913.00    
  94       2023622      1        3        269786       2.20   56       0        6564        4817.61     0.00        4817.61    
  95       2100566      1        5        29788        0.24   6        0        6500        4964.67     0.00        4964.67    
  96       2008117      1        3        82566        0.67   17       0        6480        4856.82     0.00        4856.82    
  97       2802205      1        3        85158        0.70   17       0        6456        5009.29     0.00        5009.29    
  98       2100327      1        10       6438         0.05   1        0        6438        6438.00     0.00        6438.00    
  99       2008118      1        3        62080        0.51   12       0        6148        5173.33     0.00        5173.33    
  100      2010142      1        4        246534       2.01   52       0        6130        4741.04     0.00        4741.04    
  101      2816920      1        1        6118         0.05   1        0        6118        6118.00     0.00        6118.00    
  102      2802822      1        1        84288        0.69   17       0        6110        4958.12     0.00        4958.12    
  103      2828877      1        1        6094         0.05   1        0        6094        6094.00     0.00        6094.00    
  104      2023626      1        3        207392       1.69   44       0        6086        4713.45     0.00        4713.45    
  105      2100540      1        12       11074        0.09   2        0        6062        5537.00     0.00        5537.00    
  106      2020661      1        3        11892        0.10   2        0        5984        5946.00     0.00        5946.00    
  107      2102190      1        5        11214        0.09   2        0        5968        5607.00     0.00        5607.00    
  108      2020369      1        3        5960         0.05   1        0        5960        5960.00     0.00        5960.00    
  109      2016323      1        1        31152        0.25   6        0        5954        5192.00     0.00        5192.00    
  110      2806561      1        5        5920         0.05   1        0        5920        5920.00     0.00        5920.00    
  111      2021701      1        1        11134        0.09   2        0        5898        5567.00     0.00        5567.00    
  112      2816380      1        1        5796         0.05   1        0        5796        5796.00     0.00        5796.00    
  113      2013506      1        1        5796         0.05   1        0        5796        5796.00     0.00        5796.00    
  114      2001330      1        8        11060        0.09   2        0        5780        5530.00     0.00        5530.00    
  115      2823788      1        4        11274        0.09   2        0        5770        5637.00     0.00        5637.00    
  116      2015986      1        5        10842        0.09   2        0        5624        5421.00     0.00        5421.00    
  117      2013075      1        8        10424        0.09   2        0        5608        5212.00     0.00        5212.00    
  118      2020388      1        8        5568         0.05   1        0        5568        5568.00     0.00        5568.00    
  119      2010939      1        3        5454         0.04   1        0        5454        5454.00     0.00        5454.00    
  120      2001219      1        20       5442         0.04   1        0        5442        5442.00     0.00        5442.00    
  121      2102523      1        8        15174        0.12   3        0        5402        5058.00     0.00        5058.00    
  122      2016363      1        2        29456        0.24   6        0        5348        4909.33     0.00        4909.33    
  123      2103239      1        4        5346         0.04   1        0        5346        5346.00     0.00        5346.00    
  124      2023616      1        3        19722        0.16   4        0        5236        4930.50     0.00        4930.50    
  125      2801347      1        5        7

This file has been truncated. Go here to download in full.


packet_stats.log - (15183 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            33          2249874       76223054      56427969          1.9b   42.36
 IPv4      17            50          5081322       75054796      43445794          2.2b   49.42
 IPv6      17            10          4762242       75582752      36155153        361.6m    8.22
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            33           114570       10043642        645590         21.3m   29.00
TMM_FLOWWORKER              IPv4      17            50           216516       16171058        942809         47.1m   64.16
TMM_RECEIVEPCAPFILE         IPv4       6            29             4456           8178          5218        151.3k    0.21
TMM_RECEIVEPCAPFILE         IPv4      17            50             4448           7956          5061        253.1k    0.34
TMM_DECODEPCAPFILE          IPv4       6            29             4624          16500          5660        164.2k    0.22
TMM_DECODEPCAPFILE          IPv4      17            50             4590           6784          5096        254.8k    0.35
TMM_FLOWWORKER              IPv6      17            10           195758        1130096        405418          4.1m    5.52
TMM_RECEIVEPCAPFILE         IPv6      17            10             4518          11494          5513         55.1k    0.08
TMM_DECODEPCAPFILE          IPv6      17            10             4680          44566          9210         92.1k    0.13

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            29             4764           6782          5413        157.0k  0.28  
flow                    IPv4      17            50             4764         421328         14622        731.1k  1.28  
stream                  IPv4       6            33             4588         828694         56560          1.9m  3.28  
app-layer               IPv4      17            50             4434          59764          8808        440.4k  0.77  
detect                  IPv4       6            33            77584        7919278        504022         16.6m  29.22 
detect                  IPv4      17            50           187750       15170422        661326         33.1m  58.10 
tcp-prune               IPv4       6            33             4468          10856          5185        171.1k  0.30  
flow                    IPv6      17            10             4754          38612          9696         97.0k  0.17  
app-layer               IPv6      17            10             4524          46462         12342        123.4k  0.22  
detect                  IPv6      17            10           167978        1083298        362773          3.6m  6.37  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             2             5416          70546         37981         76.0k  50.27 
dns                     IPv4      17             5             7838          20526         12523         62.6k  41.44 
dns                     IPv6      17             1            12530          12530         12530         12.5k  8.29  
Proto detect            IPv4      17            10             4594          19004          9281         92.8k
Proto detect            IPv6      17             4             5338          35654         13841         55.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           568550         568550        568550        568.5k  20.48 
LOGGER_ALERT_FAST           IPv4      17             1            23572          23572         23572         23.6k  0.85  
LOGGER_UNIFIED2             IPv4       6             1           627938         627938        627938        627.9k  22.62 
LOGGER_UNIFIED2             IPv4      17             1            23284          23284         23284         23.3k  0.84  
LOGGER_JSON_ALERT           IPv4       6             1           153984         153984        153984        154.0k  5.55  
LOGGER_JSON_ALERT           IPv4      17             1            51056          51056         51056         51.1k  1.84  
LOGGER_JSON_DNS             IPv4      17             4            44820         890974        264947          1.1m  38.18 
LOGGER_JSON_HTTP            IPv4       6             1            83998          83998         83998         84.0k  3.03  
LOGGER_JSON_FILE            IPv4       6             1           183548         183548        183548        183.5k  6.61  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            15             4990         490234         62263       934.0k  27.26 
payload                           IPv4      17            50             5482         107696         18743       937.2k  27.36 
stream                            IPv4       6            15             4450         151794         32230       483.5k  14.11 
http_uri                          IPv4       6             1            12820          12820         12820        12.8k  0.37  
http_request_line                 IPv4       6             1            10542          10542         10542        10.5k  0.31  
http_client_body                  IPv4       6             1             6048           6048          6048         6.0k  0.18  
http_header (request)             IPv4       6             1            62422          62422         62422        62.4k  1.82  
http_header (request trailer)     IPv4       6             1             4542           4542          4542         4.5k  0.13  
http_header_names (request)       IPv4       6             1            19230          19230         19230        19.2k  0.56  
http_accept (request)             IPv4       6             1             6208           6208          6208         6.2k  0.18  
http_referer (request)            IPv4       6             1           425334         425334        425334       425.3k  12.42 
http_content_len (request)        IPv4       6             1             6678           6678          6678         6.7k  0.19  
http_content_type (request)       IPv4       6             1             5512           5512          5512         5.5k  0.16  
http_protocol (request)           IPv4       6             1             8294           8294          8294         8.3k  0.24  
http_start (request)              IPv4       6             1            15726          15726         15726        15.7k  0.46  
http_raw_header (request)         IPv4       6             1            19296          19296         19296        19.3k  0.56  
http_method                       IPv4       6             1            10374          10374         10374        10.4k  0.30  
http_cookie (request)             IPv4       6             1             5056           5056          5056         5.1k  0.15  
http_raw_uri                      IPv4       6             1             8958           8958          8958         9.0k  0.26  
http_user_agent                   IPv4       6             1            36176          36176         36176        36.2k  1.06  
http_host                         IPv4       6             1            12404          12404         12404        12.4k  0.36  
dns_query                         IPv4      17             2            13468          18530         15999        32.0k  0.93  
http_response_line                IPv4       6             1            13288          13288         13288        13.3k  0.39  
http_header (response)            IPv4       6             1            42610          42610         42610        42.6k  1.24  
http_header (response trailer)    IPv4       6             1             4954           4954          4954         5.0k  0.14  
http_content_type (response)      IPv4       6             1            12540          12540         12540        12.5k  0.37  
http_raw_header (response)        IPv4       6             1            15942          15942         15942        15.9k  0.47  
http_cookie (response)            IPv4       6             1             5998           5998          5998         6.0k  0.18  
http_stat_code                    IPv4       6             1             6716           6716          6716         6.7k  0.20  
Total                             IPv4                   107                                         29572         3.2m
payload                           IPv6      17            10             5346         121266         26127       261.3k  7.63  
Total                             IPv6                    10                                         26127       261.3k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4            22562          74226         55507        222.0k  0.38  
PROF_DETECT_IPONLY          IPv4      17            10            42894         178820         82647        826.5k  1.43  
PROF_DETECT_RULES           IPv4       6            33             4444        6574132        256588          8.5m  14.68 
PROF_DETECT_RULES           IPv4      17            50            87082       14761430        483357         24.2m  41.89 
PROF_DETECT_STATEFUL_START    IPv4       6             4             9220        2467598        634646          2.5m  4.40  
PROF_DETECT_STATEFUL_START    IPv4      17             1            17466          17466         17466         17.5k  0.03  
PROF_DETECT_STATEFUL_CONT    IPv4       6            33             4416          18800          6435        212.4k  0.37  
PROF_DETECT_STATEFUL_CONT    IPv4      17            50             4404         831506         25223          1.3m  2.19  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             7             4464           6544          5189         36.3k  0.06  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             4658           7816          5577         22.3k  0.04  
PROF_DETECT_PREFILTER       IPv4       6            33            13772         924528        126494          4.2m  7.23  
PROF_DETECT_PREFILTER       IPv4      17            50            41580         146456         62721          3.1m  5.44  
PROF_DETECT_PF_PAYLOAD      IPv4       6            15            23528         508428        110833          1.7m  2.88  
PROF_DETECT_PF_PAYLOAD      IPv4      17            50            14440         116880         28507          1.4m  2.47  
PROF_DETECT_PF_TX           IPv4       6             7             4684         769212        135256        946.8k  1.64  
PROF_DETECT_PF_TX           IPv4      17             2            25384          28238         26811         53.6k  0.09  
PROF_DETECT_PF_SORT1        IPv4       6             8             4604          10156          6033         48.3k  0.08  
PROF_DETECT_PF_SORT1        IPv4      17            50             4514           7982          5709        285.5k  0.49  
PROF_DETECT_PF_SORT2        IPv4       6            33             4418         826116         29887        986.3k  1.71  
PROF_DETECT_PF_SORT2        IPv4      17            50             4452          24546          5476        273.8k  0.47  
PROF_DETECT_NONMPMLIST      IPv4       6            33             4686         349648         15599        514.8k  0.89  
PROF_DETECT_NONMPMLIST      IPv4      17            50             4430          12402          5071        253.6k  0.44  
PROF_DETECT_ALERT           IPv4       6            33             4420         341236         14929        492.7k  0.85  
PROF_DETECT_ALERT           IPv4      17            50             4420           8866          4936        246.8k  0.43  
PROF_DETECT_CLEANUP         IPv4       6            33             4502          29686          6913        228.1k  0.40  
PROF_DETECT_CLEANUP         IPv4      17            50             4422          32716          5866        293.3k  0.51  
PROF_DETECT_GETSGH          IPv4       6            33             4530         573278         27475        906.7k  1.57  
PROF_DETECT_GETSGH          IPv4      17            50             4638          22726          6375        318.8k  0.55  
PROF_DETECT_IPONLY          IPv6      17             4             5590          47658         17920         71.7k  0.12  
PROF_DETECT_RULES           IPv6      17            10            59836         255164        123859          1.2m  2.15  
PROF_DETECT_STATEFUL_CONT    IPv6      17            10             4658         828508         87216        872.2k  1.51  
PROF_DETECT_PREFILTER       IPv6      17            10            41356         165414         69132        691.3k  1.20  
PROF_DETECT_PF_PAYLOAD      IPv6      17            10            14212         130332         35442        354.4k  0.61  
PROF_DETECT_PF_SORT1        IPv6      17            10             4560          22310          7080         70.8k  0.12  
PROF_DETECT_PF_SORT2        IPv6      17            10             4466           6474          5077         50.8k  0.09  
PROF_DETECT_NONMPMLIST      IPv6      17            10             4648           5954          5019         50.2k  0.09  
PROF_DETECT_ALERT           IPv6      17            10             4432          17290          5862         58.6k  0.10  
PROF_DETECT_CLEANUP         IPv6      17            10             4446           7488          5095         51.0k  0.09  
PROF_DETECT_GETSGH          IPv6      17            10             4682          94686         16982        169.8k  0.29  


suricata-report-2019-07-25-T-13-25-33-07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap.txt - (17707 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/84de023428e25aac77fba9d8feb664c856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap -vvv -k none
elapsedtime:23.183688
stderr:
stdout:
25/7/2019 -- 13:25:10 - <Info> - Configuration node 'rule-files' redefined.
25/7/2019 -- 13:25:10 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/7/2019 -- 13:25:10 - <Info> - CPUs/cores online: 1
25/7/2019 -- 13:25:10 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33591 and 'request-body-inspect-window' set to 16150 after randomization.
25/7/2019 -- 13:25:10 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32062 and 'response-body-inspect-window' set to 16587 after randomization.
25/7/2019 -- 13:25:10 - <Config> - DNS request flood protection level: 500
25/7/2019 -- 13:25:10 - <Config> - DNS per flow memcap (state-memcap): 524288
25/7/2019 -- 13:25:10 - <Config> - DNS global memcap: 16777216
25/7/2019 -- 13:25:10 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/7/2019 -- 13:25:10 - <Config> - preallocated 1000 hosts of size 136
25/7/2019 -- 13:25:10 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/7/2019 -- 13:25:10 - <Config> - using magic-file /usr/share/file/magic
25/7/2019 -- 13:25:10 - <Config> - Core dump size is unlimited.
25/7/2019 -- 13:25:10 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/7/2019 -- 13:25:10 - <Config> - preallocated 1000 defrag trackers of size 168
25/7/2019 -- 13:25:10 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/7/2019 -- 13:25:10 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/7/2019 -- 13:25:10 - <Config> - stream "memcap": 33554432
25/7/2019 -- 13:25:10 - <Config> - stream "midstream" session pickups: disabled
25/7/2019 -- 13:25:10 - <Config> - stream "async-oneside": disabled
25/7/2019 -- 13:25:10 - <Config> - stream "checksum-validation": disabled
25/7/2019 -- 13:25:10 - <Config> - stream."inline": disabled
25/7/2019 -- 13:25:10 - <Config> - stream "bypass": disabled
25/7/2019 -- 13:25:10 - <Config> - stream "max-synack-queued": 5
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly "memcap": 134217728
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly "depth": 0
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly "toserver-chunk-size": 2501
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly "toclient-chunk-size": 2633
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly.raw: enabled
25/7/2019 -- 13:25:10 - <Config> - stream.reassembly "segment-prealloc": 2048
25/7/2019 -- 13:25:10 - <Config> - Delayed detect disabled
25/7/2019 -- 13:25:10 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/7/2019 -- 13:25:10 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/7/2019 -- 13:25:10 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/7/2019 -- 13:25:10 - <Config> - prefilter engines: MPM
25/7/2019 -- 13:25:10 - <Config> - IP reputation disabled
25/7/2019 -- 13:25:10 - <Perf> - Registered 148 keyword profiling counters.
25/7/2019 -- 13:25:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
25/7/2019 -- 13:25:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
25/7/2019 -- 13:25:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
25/7/2019 -- 13:25:15 - <Config> - No rules loaded from ET-icmp.rules.
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
25/7/2019 -- 13:25:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
25/7/2019 -- 13:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
25/7/2019 -- 13:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
25/7/2019 -- 13:25:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
25/7/2019 -- 13:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
25/7/2019 -- 13:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
25/7/2019 -- 13:25:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
25/7/2019 -- 13:25:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
25/7/2019 -- 13:25:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
25/7/2019 -- 13:25:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
25/7/2019 -- 13:25:23 - <Config> - No rules loaded from local.rules.
25/7/2019 -- 13:25:23 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
25/7/2019 -- 13:25:23 - <Info> - Threshold config parsed: 0 rule(s) found
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tcp-packet
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tcp-stream
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for udp-packet
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for other-ip
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_uri
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_request_line
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_client_body
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_response_line
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_header
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_header
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_header_names
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_header_names
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_accept
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_accept_enc
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_accept_lang
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_referer
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_connection
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_content_len
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_content_len
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_content_type
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_content_type
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_protocol
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_protocol
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_start
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_start
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_raw_header
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_raw_header
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_method
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_cookie
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_cookie
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_raw_uri
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_user_agent
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_host
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_raw_host
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_stat_msg
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_stat_code
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for dns_query
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tls_sni
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for dce_stub_data
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for dce_stub_data
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for ssh_protocol
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for ssh_protocol
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for ssh_software
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for ssh_software
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for file_data
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for file_data
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_request_line
25/7/2019 -- 13:25:24 - <Perf> - using shared mpm ctx' for http_response_line
25/7/2019 -- 13:25:24 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
25/7/2019 -- 13:25:24 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/7/2019 -- 13:25:24 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/7/2019 -- 13:25:24 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/7/2019 -- 13:25:24 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/7/2019 -- 13:25:24 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/7/2019 -- 13:25:24 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/7/2019 -- 13:25:24 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/7/2019 -- 13:25:30 - <Perf> - Unique rule groups: 104
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/7/2019 -- 13:25:30 - <Perf> - Builtin MPM "other IP packet": 3
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_uri": 14
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_header": 10
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_header": 6
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_header_names": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_protocol": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_start": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_method": 5
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver http_host": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver tls_sni": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toserver file_data": 1
25/7/2019 -- 13:25:30 - <Perf> - AppLayer MPM "toclient file_data": 7
25/7/2019 -- 13:25:32 - <Perf> - Registered 39590 rule profiling counters.
25/7/2019 -- 13:25:32 - <Info> - fast output device (regular) initialized: alert
25/7/2019 -- 13:25:32 - <Info> - eve-log output device (regular) initialized: eve.json
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'alert'
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'http'
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'dns'
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'tls'
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'files'
25/7/2019 -- 13:25:32 - <Config> - enabling 'eve-log' module 'ssh'
25/7/2019 -- 13:25:32 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/7/2019 -- 13:25:32 - <Info> - stats output device (regular) initialized: stats.log
25/7/2019 -- 13:25:32 - <Config> - AutoFP mode using "Hash" flow load balancer
25/7/2019 -- 13:25:32 - <Info> - reading pcap file /var/pcap/07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap
25/7/2019 -- 13:25:32 - <Config> - us

This file has been truncated. Go here to download in full.


unified2.alert.1564061132 - (766 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
4]H·ìdÚÂ!À¨d¹¹Â:À2Pâ]H·]H·ìdÆE¸MâÀ¨d¹¹Â:À2PP‰rGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

4]H·ìd+üÀ¨d¹¹Â:À2Pâ]H·]H·ìdÆE¸MâÀ¨d¹¹Â:À2PP‰rGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

4]H¸¤þÞÀ¨d¹À¨dà±5n]H¸]H¸¤þRRT6>ÿRTJ¯EDX€ïDÀ¨d¹À¨dà±505´óì
windowstapduckdnsorg


stats.log - (2983 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
------------------------------------------------------------------------------------
Date: 7/25/2019 -- 13:25:33 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 127
decoder.bytes                              | Total                     | 13111
decoder.ipv4                               | Total                     | 79
decoder.ipv6                               | Total                     | 10
decoder.ethernet                           | Total                     | 127
decoder.tcp                                | Total                     | 29
decoder.udp                                | Total                     | 60
decoder.avg_pkt_size                       | Total                     | 103
decoder.max_pkt_size                       | Total                     | 570
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 12
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
detect.alert                               | Total                     | 3
detect.mpm_list                            | Total                     | 9
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 10
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.failed_tcp                  | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 10
flow.spare                                 | Total                     | 9992
flow_mgr.flows_checked                     | Total                     | 5
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65531
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (3484 bytes) - download
1
2
3
4
5
6
7
8
9
{"timestamp":"2019-06-30T23:41:43.630826+0000","flow_id":2245762309660714,"pcap_cnt":39,"event_type":"dns","src_ip":"192.168.100.185","src_port":56555,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21780,"rrname":"ip-api.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-06-30T23:41:43.649500+0000","flow_id":2245762309660714,"pcap_cnt":40,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.185","dest_port":56555,"proto":"UDP","dns":{"type":"answer","id":21780,"rcode":"NOERROR","rrname":"ip-api.com","rrtype":"A","ttl":99,"rdata":"185.194.141.58"}}
{"timestamp":"2019-06-30T23:41:43.978020+0000","flow_id":45761949038315,"pcap_cnt":51,"event_type":"alert","src_ip":"192.168.100.185","src_port":49202,"dest_ip":"185.194.141.58","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022082,"rev":3,"signature":"ET POLICY External IP Lookup ip-api.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-06-30T23:41:43.978020+0000","flow_id":45761949038315,"pcap_cnt":51,"event_type":"alert","src_ip":"192.168.100.185","src_port":49202,"dest_ip":"185.194.141.58","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2823676,"rev":2,"signature":"ETPRO TROJAN W32\/Quasar 1.3 RAT Connectivity Check","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-06-30T23:41:43.978020+0000","flow_id":45761949038315,"pcap_cnt":51,"event_type":"http","src_ip":"192.168.100.185","src_port":49202,"dest_ip":"185.194.141.58","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ip-api.com","url":"\/json\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; rv:48.0) Gecko\/20100101 Firefox\/48.0","http_content_type":"application\/json"}}
{"timestamp":"2019-06-30T23:41:44.107774+0000","flow_id":1868084360553726,"pcap_cnt":54,"event_type":"alert","src_ip":"192.168.100.185","src_port":57521,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022918,"rev":2,"signature":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","category":"Misc activity","severity":3},"app_proto":"dns"}
{"timestamp":"2019-06-30T23:41:44.107774+0000","flow_id":1868084360553726,"pcap_cnt":54,"event_type":"dns","src_ip":"192.168.100.185","src_port":57521,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62444,"rrname":"windowstap.duckdns.org","rrtype":"A","tx_id":0}}
{"timestamp":"2019-06-30T23:41:44.260016+0000","flow_id":1868084360553726,"pcap_cnt":55,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.185","dest_port":57521,"proto":"UDP","dns":{"type":"answer","id":62444,"rcode":"NOERROR","rrname":"windowstap.duckdns.org","rrtype":"A","ttl":59,"rdata":"193.56.28.150"}}
{"timestamp":"2019-06-30T23:41:51.780019+0000","flow_id":45761949038315,"pcap_cnt":76,"event_type":"fileinfo","src_ip":"185.194.141.58","src_port":80,"dest_ip":"192.168.100.185","dest_port":49202,"proto":"TCP","http":{"hostname":"ip-api.com","url":"\/json\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; rv:48.0) Gecko\/20100101 Firefox\/48.0","http_content_type":"application\/json","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":275},"app_proto":"http","fileinfo":{"filename":"\/json\/","gaps":false,"state":"CLOSED","stored":false,"size":275,"tx_id":0}}


suricata-4.0.0-etpro-all-alert-2019-07-25-T-13-25-33-07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap.txt - (618 bytes) - download
1
2
3
06/30/2019-23:41:43.978020  [**] [1:2022082:3] ET POLICY External IP Lookup ip-api.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.100.185:49202 -> 185.194.141.58:80
06/30/2019-23:41:43.978020  [**] [1:2823676:2] ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.185:49202 -> 185.194.141.58:80
06/30/2019-23:41:44.107774  [**] [1:2022918:2] ET INFO DYNAMIC_DNS Query to *.duckdns. Domain [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.185:57521 -> 192.168.100.2:53


keyword_perf.log - (9496 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 7/25/2019 -- 13:25:33
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             723102          52              52              420158          13905.00        13905.00        0.00           
  content          998788          159             112             51170           6281.00         6227.00         6411.00        
  pcre             725010          14              2               430968          51786.00        20091.00        57069.00       
  byte_test        387804          61              48              30872           6357.00         5916.00         7985.00        
  byte_jump        99550           15              13              20058           6636.00         6823.00         5425.00        
  isdataat         9528            2               0               4794            4764.00         0.00            4764.00        
  urilen           73928           14              2               7512            5280.00         5168.00         5299.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             723102          52              52              420158          13905.00        13905.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          489616          74              50              51170           6616.00         6339.00         7193.00        
  pcre             45058           1               0               45058           45058.00        0.00            45058.00       
  byte_test        387804          61              48              30872           6357.00         5916.00         7985.00        
  byte_jump        99550           15              13              20058           6636.00         6823.00         5425.00        
  isdataat         9528            2               0               4794            4764.00         0.00            4764.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          41184           7               2               7476            5883.00         5939.00         5861.00        
  pcre             38692           2               0               19350           19346.00        0.00            19346.00       
  urilen           73928           14              2               7512            5280.00         5168.00         5299.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6144            1               0               6144            6144.00         0.00            6144.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          300462          50              43              8182            6009.00         6063.00         5676.00        
  pcre             612496          9               2               430968          68055.00        20091.00        81759.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          52240           9               5               6322            5804.00         6016.00         5540.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          15646           3               1               6118            5215.00         6118.00         4764.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          82658           13              9               8002            6358.00         6758.00         5458.00        
  pcre             28764           2               0               14814           14382.00        0.00            14382.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5026            1               1               5026            5026.00         5026.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5812            1               1               5812            5812.00         5812.00         0.00           


IDSDeathBlossom.py.log - (1175 bytes) - download
1
2
3
4
5
6
7
8
2019-07-25 13:25:09,363 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-07-25 13:25:10,124 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-07-25 13:25:10,125 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-07-25 13:25:10,125 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-07-25 13:25:10,125 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-07-25 13:25:10,125 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/84de023428e25aac77fba9d8feb664c856b33745cb75ec8c950e11a498e082d2 -r /var/pcap/07252019.1325-3214cb49-8f74-448f-9aa8-b4092a4ad4e7.pcap -vvv -k none
2019-07-25 13:25:33,311 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-07-25 13:25:33,312 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.958122015