Filename: 1658ecc0-acfd-4872-b590-a3146940a21c.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.7209172249 seconds
Hash: 84f3840384e691279c7efe63a90bdb31
Uploaded: 1548767420

Logfiles

suricata-4.0.0-etpro-all-alert-2019-01-29-T-13-10-42-01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap.txt - (1070 bytes) - download
1
2
3
4
5
01/29/2019-12:55:27.456379  [**] [1:2020657:2] ET TROJAN Possible malicious Office doc hidden in XML file [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 116.206.105.47:80 -> 192.168.100.177:49181
01/29/2019-12:56:30.469442  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 195.248.240.20:80 -> 192.168.100.177:50121
01/29/2019-12:56:30.469442  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.248.240.20:80 -> 192.168.100.177:50121
01/29/2019-12:56:30.469442  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 195.248.240.20:80 -> 192.168.100.177:50121
01/29/2019-12:56:58.765307  [**] [1:2830701:1] ETPRO TROJAN W32/Emotet CnC Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.177:50430 -> 181.143.99.26:80

unified2.alert.1548767440 - (14391 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
4\PM?ö»Õ1tÎi/À¨d±PÀ*\PM?\PM?ö»E²¡tÎi/À¨d±PÀPë©tÛ
`û
¹ÁeÁ¸Ï"4¢d7ƒƒÔÙ¼Vƒ½v§5[ˆ4³\vþE5@f·K%°Q;€f¯î¼®RMp»au#R%)ï0–Êl–¬Iφ¬W·Ýpf*Mìl®dâ<…½^
‹$åScê‹)xª—)@Èâ¼Ýh§²­Å»üPÓ@éüü3Î	.æÆ?÷F;i°Ú8%Qms“'¼Fž|RwMC;Y/À8ÝF~»‰×¬z\‹(й]ÒºQܳJå\â¼\çì#`6÷kÉFºUð­C	Ê&¥9òNæB´÷»Y‘b´Ýa‚ëI/Tî•XpÙQhî¬>Š­ùÿ¡<r]¢ :·ä•0 §!˜dr3#çœYý_	Ý]·Î±91Í¿Ø;„|Š›>7‘)x
é0)'í}QLÒ$òýý:P>:`À²£•Œe˜*åZ0K±`ó¯Ïã@ÏÃRÕS14ÒiO‡XKRØ¢p:à€:X	ý~5X\2ƒ»þ¦>ãZ `•üŌQ§ƒ)˜Có·Ô:•'Š!`Q¸7è2b$‰=û†“
|¾_‘Ø=ÒPD‹ùC½ÄRsM^(öeà풂†²bm)X-»Á„2DžD÷jÁ‡ û¨P߯ØÀ‡À1Êñˁ"‡…_ÇҌm`­ð5¸QÓĸ •'Q¿=&})粈'ü¿âeŒ8Ó}Ú¥ô¼_׺¹ç^"²#«[×Ò
B$î´^ÐÒf
yí|B!a؋¿^ÑàÑ$R,~‹T°þ5At³q…àÿÙ«îåÐKý¦_ˆ„ŒÚ«Ž§˜~_ íxÆ	RöaKÁ•0|KùaYWµ|™Hú̅šÅ`Ý	ä9¢‰‰ØŠçMª¥Å'Dy¦OõÙ<3ÜeEä¨^¦äÑ{zëèšF4˜’Ò^ÚÍ_ü}@<÷êýۆjCnoõÊñ+ü†*:’'KÜì鎶þîÅ`sèpƒèÎ b*Ô ƒõÞsh]ùwUñýJŽ€ãž6”SIY6?/ËIWd7!Մ~£øm}²(ÊP[iâÉÜ}h’܋«ä1&J=fÖ(é/›aèÊ#W~{Àö¦jâK	» ‡òRúfùo`©ˆTòoJ³]®§>jxíP˜ß’Ö5ýý:Ø¢'?Ñ`ë¾_Ú/€ÒÇö|²=¿¹‰phu•ºt_3m¨)睎µ?ª«Q[¢Õ·uù÷ëÔßZîÔ¨O{
7ðȊ¤®E¿¼-á­~÷øÚµ¡Öó–ZYïãBÕZE0žÝA?ÀŒlÏÚ}¿`¢7—)¤1[ùñ„†3ÚÃÉgðÕÔàÝ1¾°§ö^8—EµG	åÇ̓ñ†m:úp0‹eó~õ^~$÷òú“Zòsžp@£ú¡™’Ì|6Ÿ¤|çZÿ‚ÂÞ%÷n¤¹oœWI‚”‹äò“Γ§—Ó¬€¿ÞÌÜ7fېp[wÉìæÏf8EDI38Üò¡á.&3Lz"#Öør“Å‘aÕBÎӕì•pt
ý+I.þõ“g¤›…ó©*\PM?\PM?ö»E²¡tÎi/À¨d±PÀPPւ%S¨í™¦vî	\e €¢Â<“o#é³ï‚Fӝâ‘™u<߯Qá$,	
aSñÜ
Ï`ý»[[,qá-cèâÏBÒÕ¾
–' ˆÈIǝi¾™g<ΙzCþ~ýÒËJ	È78Õúý3œÚ&\»Ù ( ˆ–.Ö_¥Z6¨À¥žSé£ÒÇ×dG`XÑ2¡Ùù¨Ø_oÈ/ešèO¢ynáÙêWϺՆ|Ý~.´óæ ^'ÄЊê)g…ÍŒ£ŽÿV°&÷[ºU¡¯®¿¨Ú…VÐh÷Ê°DÀL~Ãè¯ì/Ð»Ó"á¥Ü҃‘€+UMÛDṓú[Š@ß!"+|¿œÉ¾
V:3`÷væ¤ä Á¹“l:oü“u+€;Xâ@»9ÿQOC´Ï“øB±¡IËVeH_0}¿!ꔢ̌2—!hF¸ŒlX°hñƒ¹K7‡ãƨ¦»os—ëf@”- <iÏ<z Ë7´_Ü%ÁýÏ4[Ü¥ybóºX³L£¢L¿èm”°ŸSÅöé[ð¦?Ï'Â<¾‰½¶âŽÒ¥‡äPѽ]gPì¢å-°þûŸՒÙ
_”º{èP·²ÀëZ‘Ò¨(”ô.K„ J»œ%,wʟ;­ITádM0àý*n{°÷Nv[J¼…¹`ÌëÀT:{ùbJÀž!ÚÏdª§ÈxÇ”r&”â÷æÞk¤÷x7¶ÒSÒ¢TÑ¡ÉۉO¾à†•÷Ӝ:ÕÀºOV!áÈ)›Ç燥î£Ï£f*Á¦Â݊ž`‡ax}ÊsèL±}¿Tû!3$‚ܸðˆëCÛ0Àµ/+ó@GZbyE3HC%ú‡«} YŒ†Âƒ!–¾wë(ŽX­7¯ûoÒÚ‹Lš„ÀY ŒMÞì£Á颦/PÍ`Bbîö€±6ò†QÌ¡ÄÃ1%•Ý%S<\ÓèpÕ6;ÿù–I_7ð¨ùi©¢Ó~ܙYª«ëåv½¯D&E•R+&Ëà?ƁCÜù©ÿŸ¹˜~ƒ—5Àø>l¿_z¬™Cƒf[¢í‘\3è>íô¦ tlJ—~¿ü}B Œ}Nû_•Þ‚P#Ã
1fa0
µ‰¸»ºìûՐ³â}‚A‚qr–~åDP
 "ÌC­OÿžxJ^9–U=÷‡IwÁdž7‰°rÂVgK}Ä*ŸÓêÞ/p3¡318ýbnƙޖK"Âð[GÐí÷>ù¡Ó.kxxuõm"Æîôƒ‹9é¥=“ClÓËM;ñ~Õ/øÎy	ºÿöij¤Ö<WÝÍ͘¸žÊ`M鼪:$˜rb̨ÆÁWª”=P®ÙøÇ4ïhÖ(ÈÕhÈ鞠ã#ˆFµË|&ÅÛ;¨ë£ñ=·ÎUÀۣ̍ᘬrš‹2¸Óü÷Ë!ð˜ï›\øüUäß@»øÅ؁êgL—¼¾0WçžæI¤e-(|ý€GʙȨ¼„U+7‚tù4¹íïÍʀL®¹ý7·E‡½ß(½RîkD' Õ…SÜ㰏å'¨ñ(ˆ8£oã>ZF*,q4i]“†wÜ^ªÃßùé•'u—*\PM?\PM?ö»E²¡tÎi/À¨d±PÀPÓZÏ3‡š!Ç,˜‹k¬5Δ>(䟴,âh=€Ôf–æÀI–¼Uìý)VÑӀ¿íª@‚hÀf³Õ¢büƒÇ‡‹5ö‚Q|9ÀB1š,I6·guª­‡¾Œ#
¸õýr5g¾sFµI‹2g ¡Õ»&ÏÏñü>ÃÃÛɘ¦
Ú¬¡Å>ru¹{±¹‹©þ0æ»V,‘C¦àûe›Ù
øo6É8ėԂTgô< v‰x@Ù½lÕû)ÃMB-Xt4‚]÷e2ŽA]¹âÉ? crèûUêAÆ>Äèn[áHwœ±é“%K$rA[âדY, ÒDÑ¢Vø,¦æñõì)fWùš½AÀñûuTƇǻ`×kèùÔÚG+÷)Á-ùx4\¨EQÉcwe,$KRuU@uö`FqŠ÷ Ü®¥mÒû5}ˆ•Ü´7çžÇi•–
03PX	¸L€:ƒ$>Î(€¦”h¾ óÙ¼n®Û@!¾WfBS”ƒXÜæûõ)ˆá'…@!‚+£ÈPí7•gGÑ¢ùô»äM^+ywðÐþ5‰†J"Ú¾ÉøÆêXïÑô™¸÷Ër=žç†r«°JìÈ¡¾M^ÆX[Œ&éÁTÆw¬ƒôLŠ¿ç0F¦TNÔJ£º•hz3"ÿ˜ÞîåÈøõ}’ô¦Ýc6€ût$d…¼¸ÄÆã°CBȘÀ®CRÞ© Fé6½JnÈ°T$r¨d™Vú~Y'§Å¼° ·­ƒÉ4òþ<Fnƒ
sM!ª¬É}çÝ-ä"Fš
h”„h‚!Kè¡ïâýzÊÑ)¸?ÊSÎËÎ6QQ¼åçÁqވ<¬z”Ä|MTžwöéìÃAÉc2ë·¹Õ3_.ñú÷+”¦©2Û!¤‰ðÌ\XÔb×Ø­œÖ¬ãÁ¤BKï’`‰a¦à£i>—>VººŠç6]¸éÊüe»6äÍs^Ù#«B;d;Qz·z°t((rOœ§=ös	x`á܊\t›µŽí«éXÉÖ~÷$+íó~11–z‡[¨ŠJ€Û’œÖìb눲…Ù_~ØÇTâÏ ”æ,Žqž8%7,—}!RÁU`Ò¿l*úNÍRšUž¢mEÙ¡>4—qåF„‚þ¾jSÉfÌ¥EºØà\€–y¤"§H÷ÚQÿeûHX|óXC¯-oÅÈvÌb(Ç{ŠŽ#'/ºq
©TéúT( ŸÕö 
ßø˽žà¾}¸-êý¢à¯>ÄE8ÝUe<ñ4Àý†›a/NŸCád‹ks=fs\ù;!üiËT˜<„‹_òØ]‹BëûÕoÀo¡‚úµ¯ ø”À…`âMÿÊ4Ør1®ÒPtÓBd`×PÙF2òÚÀÑ:A~ÀvW³¿_Õ&	yÑuÄ°@j/Ž¸<)žÅÂÅ0…J±6þ–³bïË;ÐxèBa$¤8ùÓ¿Érží‰ÕJ‚õg¿_ ·Ūj"q!"×zh^uG,,êåÏW°zóŒÆ’&Ø&k0g›±xIsÔø(§rï	•‡cC&%Tû(
­»7Օ*\PM?\PM?ö»E²¡tÎi/À¨d±PÀP„ô“éZ†TԄÜïD«Õ"Öy1z
\\‹¶™ô¤ÁèDBÈÐ9ցï­m…¶ò`{9ô
Hœø!ï¸Ídt‚˜`\àÁ¨1©¨Ü¹Ëä4Þ¦µhWO'¢æ<žô÷Ë|HiÐ2naùŠH£˜¥xQf¯^øã0™2æÛ53î-!oAäMßÿcvº…ø1¾üšÝΟ &ß/&ÍÑH |Jj>¥à‹’î%Kàá{éօŸ˜Ì—D› +-ÝWaÌ¿žyXÜäµ@O'ü“w‚߯Bš¬IԟÒ6ýàb`L¼|dèÒjÆÏ+ÌÙ•t©'¯§ÊµLš!H+Jò.0–ṳ́YeF à*ï—WÒ'ÙäÝYSŠGT©T¡ ›ú|öDÿ âÀŽ‘ó)ĵ|q~»¤Þò™6ÆDå(R*U
ütqÄ÷Ël(XŒEËT/ïtúš:t/*¡· •éï©Òè9
F¶œÎÀ¢„àt²‡@Šó¼kÃà~Ïx~¿jô¯FÊ‹¡eùJMx€÷Pĕëw}ºL†m—BÈ\}`
Ze*=]À|À8ÚXRkjþª“ögHa…U£’³u)ÃBIaFßø*Ыööª¿AHÒh­»Úò7+È ‡XjwlÓpéQ•GbÙ0 /ùó50Ö¸È	o¡`V:—@@œ¸!˘€
mRtÐËO
nšYºpüï9Ü|¤Üљ
ŸN0	t¶óý·ß±lì}wxÃ5§0n¿(ÇÙ
àÑ(HCé×>
÷°5(ݧÓ-ˆ6K•Î¬D!\ýû×;ÇçǓ« Ó“Q¿3˜Ú„â/Ä݅âGp2Ygtíñ”çS¿uÌHýJÄúȉ@¥‹q°åûõcKKè²vÒI3|ԅ°¢¥e¼\¬·+ úمᗴ¯w­j$¢î}¯;¨Rh/=êçcÐf÷ûóµâò«8ÆÑ?ÒÌg rùov
Û܍"¹'sˆŠŒúp˜0~ÒöPüÂûƒ*»=9­âúí1¢þ²õ»v]BI×hõÇÏê‘п¿5úudžfåoó&Ãàghmi™#”j1]æÉ8ýˆi*ÛËs·ü—íTÌ`6›Mî,É-mQʖ/°·¾ÔÔðÔTi90>b³ýuˆo¥Ø¸iüè@¼ 6°ã—	¯Ç»›÷‹ŸStu
RP
͙®ÉZŒ
±}ÁˆÝÍR½~'À¬2Ø+'R^oBZFý€¯¹´¤
p ¡ïÁ‹¨T!S¼÷ܺ ’1ÆÈï‚uJËʦ{Ô÷ÊS¥k¶¤w®;³èÉ´¶
÷°èò…þ0Ò­ï—ì;«&„â‡z«ÀçK  Æ§Éȼ‹W«9WùÇhdœ¦§ïÓ~]s75b5a¼Ù”ŒÝ<
Àœ·T~¿úô‘á1-×ïáT†’€T½x\Ž(eÁá+8Zf˜êŸeF‡K©!…Ù…ÃÌ1F³ý¯è"IÌ°#¿âŸŠÅ£oCQ—ÀrŠ·á˜œЙ<Ã÷`QGœrœz`p°à¹³ŝõõwpËeõºP|T“$ӌz¿ tJ]àð²a·fÚÁ­ìéà4\PM~)ÂΏ!ÃøðÀ¨d±PÃÉ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉP
Œ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉPIã
2000
JÅ|(QBö|ïÅN,Ú'±9‰ÅGâûÜi¤ì ȑú)g$qmã4Ñ#ê{°@ÿvkþ(QB%êkþïÅN-YÖö9‰ÅGâûÜi¤ì ȑú)g$qmã4bØ°]Aòÿ(QB;JïÅN~†Tõ9‰ÅGâûÜi¤ì ȑú)g$qmã4Öb¬ö'sAÀp›L(QBgÛLïÅN¿€9‰ÅGâûÜi¤ì ȑú)g$qmã4ž—+Oq½Aå%è>(QB#Lè>ïÅN"ÓL9‰ÅGâûÜi¤ì ȑú)g$qmã4ùì@ B†QB14;+,"8	
U*M7
FS$%D(LWC -5'.@0!&G>=O96/?R2)EBNAI3HVJ<#KQTP:¥/@|‚@4\PM~)ÂÅÃøðÀ¨d±PÃÉ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉP
Œ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉPIã
2000
JÅ|(QBö|ïÅN,Ú'±9‰ÅGâûÜi¤ì ȑú)g$qmã4Ñ#ê{°@ÿvkþ(QB%êkþïÅN-YÖö9‰ÅGâûÜi¤ì ȑú)g$qmã4bØ°]Aòÿ(QB;JïÅN~†Tõ9‰ÅGâûÜi¤ì ȑú)g$qmã4Öb¬ö'sAÀp›L(QBgÛLïÅN¿€9‰ÅGâûÜi¤ì ȑú)g$qmã4ž—+Oq½Aå%è>(QB#Lè>ïÅN"ÓL9‰ÅGâûÜi¤ì ȑú)g$qmã4ùì@ B†QB14;+,"8	
U*M7
FS$%D(LWC -5'.@0!&G>=O96/?R2)EBNAI3HVJ<#KQTP:¥/@|‚@4\PM~)½8ÃøðÀ¨d±PÃÉ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉP
Œ*\PM~\PM~)ÂEܑÃøðÀ¨d±PÃÉPIã
2000
JÅ|(QBö|ïÅN,Ú'±9‰ÅGâûÜi¤ì ȑú)g$qmã4Ñ#ê{°@ÿvkþ(QB%êkþïÅN-YÖö9‰ÅGâûÜi¤ì ȑú)g$qmã4bØ°]Aòÿ(QB;JïÅN~†Tõ9‰ÅGâûÜi¤ì ȑú)g$qmã4Öb¬ö'sAÀp›L(QBgÛLïÅN¿€9‰ÅGâûÜi¤ì ȑú)g$qmã4ž—+Oq½Aå%è>(QB#Lè>ïÅN"ÓL9‰ÅGâûÜi¤ì ȑú)g$qmã4ùì@ B†QB14;+,"8	
U*M7
FS$%D(LWC -5'.@0!&G>=O96/?R2)EBNAI3HVJ<#KQTP:¥/@|‚@4\PMš­{+1mÀ¨d±µcÄþP\PMš\PMš­{óEåzÀ¨d±µcÄþPP/GET / HTTP/1.1
Cookie: 13950=RjdrD4EJ7eW6EmmsAJ7eXDiUqeNVCbQx3OInC/lnxMifdHlEN9BiXZcvvg89SHSVy+BGdYU7SiIaB3NIQupEvjB7orxCIhHAe2whb5x0EjtYDnbA8+eO8hx5xKAct9gdjY0maABX6ZCO3sN45Go7FkjhGB/tx5DMePpS/7o1uUvcL86kdMZN+AHwgSCRLQkJYx+POctUNbrXsMbV+5KBBFnT6+30iZH7Ps6DxmnVk4pmGuSeHYJ56NcoD/PYsZs/fU4cHRvFEvxshbZvf/jjpyBKQINY7h1TmJaUu5d1rsjCAgEgRY3ZEp5Gq2nhycOMgG3XcWuzCbae03ej5duZCWlMFNXUAfF/ryH32kb7TXbdD2bu8YaN064rOVrP4xK0M0MGIZFEGlsnWcgWGTp2pFX6vpM=
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 181.143.99.26
Connection: Keep-Alive
Cache-Control: no-cache

packet_stats.log - (14936 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           417          2645802      187875625     121751425         50.8b   93.17
 IPv4      17            55          6839057      189221999      58975817          3.2b    5.95
 IPv6      17             9          7281176      105690654      53141223        478.3m    0.88
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           417            68078       13237353        418053        174.3m   83.94
TMM_FLOWWORKER              IPv4      17            55           119540       16176938        526178         28.9m   13.94
TMM_RECEIVEPCAPFILE         IPv4       6           412             2551          34274          3098          1.3m    0.61
TMM_RECEIVEPCAPFILE         IPv4      17            55             2558          10873          3032        166.8k    0.08
TMM_DECODEPCAPFILE          IPv4       6           412             2659          38615          2920          1.2m    0.58
TMM_DECODEPCAPFILE          IPv4      17            55             2686          29200          3340        183.7k    0.09
TMM_FLOWWORKER              IPv6      17             9           111379         261290        168248          1.5m    0.73
TMM_RECEIVEPCAPFILE         IPv6      17             9             2601           3063          2792         25.1k    0.01
TMM_DECODEPCAPFILE          IPv6      17             9             2744          16365          4366         39.3k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           412             2835          16032          3199          1.3m  0.73  
flow                    IPv4      17            55             2678          36166          5115        281.4k  0.16  
stream                  IPv4       6           417             2698         336957         16610          6.9m  3.85  
app-layer               IPv4      17            55             2532          49530          6039        332.1k  0.18  
detect                  IPv4       6           417            45372       12931544        375831        156.7m  87.06 
detect                  IPv4      17            55           103080         611752        212929         11.7m  6.51  
tcp-prune               IPv4       6           417             2555          21553          3123          1.3m  0.72  
flow                    IPv6      17             9             2873          15656          5564         50.1k  0.03  
app-layer               IPv6      17             9             2570          12391          6266         56.4k  0.03  
detect                  IPv6      17             9            95190         233684        145180          1.3m  0.73  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             8             2847          14553          6274         50.2k  25.91 
http                    IPv4      17             1            45439          45439         45439         45.4k  23.45 
dns                     IPv4      17             6             4321          20007          8776         52.7k  27.18 
http                    IPv6      17             1            45439          45439         45439         45.4k  23.45 
Proto detect            IPv4      17            11             2800          28222          8810         96.9k
Proto detect            IPv6      17             4             3030           5942          4599         18.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            43290         100853         77919        233.8k  1.32  
LOGGER_UNIFIED2             IPv4       6             3            43762         177352        106001        318.0k  1.79  
LOGGER_JSON_ALERT           IPv4       6             3            73412         126376        102279        306.8k  1.73  
LOGGER_JSON_DNS             IPv4      17             6            43924       15598635       2654619         15.9m  89.75 
LOGGER_JSON_HTTP            IPv4       6             5            40013         167396        107796        539.0k  3.04  
LOGGER_JSON_FILE            IPv4       6             5            50886         158362         84240        421.2k  2.37  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           272             2610         141446         22501         6.1m  13.71 
payload                           IPv4      17            55             3245         210661         17653       971.0k  2.18  
stream                            IPv4       6           272             2547         663347         45948        12.5m  28.00 
http_uri                          IPv4       6             5             5354          16306          9239        46.2k  0.10  
http_request_line                 IPv4       6             5             4717           7883          6660        33.3k  0.07  
http_client_body                  IPv4       6             5             3037           3977          3512        17.6k  0.04  
http_header (request)             IPv4       6             5             9110         132559         70029       350.1k  0.78  
http_header (request trailer)     IPv4       6             5             2601           2707          2632        13.2k  0.03  
http_header_names (request)       IPv4       6             5             6100          25166         17555        87.8k  0.20  
http_accept (request)             IPv4       6             5             3831          12421          5610        28.1k  0.06  
http_referer (request)            IPv4       6             5             3027           3399          3206        16.0k  0.04  
http_content_len (request)        IPv4       6             5             3170           3924          3498        17.5k  0.04  
http_content_type (request)       IPv4       6             5             3057           4404          3621        18.1k  0.04  
http_protocol (request)           IPv4       6             5             3721           5695          4986        24.9k  0.06  
http_start (request)              IPv4       6             5             6494          36470         17698        88.5k  0.20  
http_raw_header (request)         IPv4       6             5             7450          20255         14581        72.9k  0.16  
http_method                       IPv4       6             5             4460           7157          6060        30.3k  0.07  
http_cookie (request)             IPv4       6             5             3354          16440          6085        30.4k  0.07  
http_raw_uri                      IPv4       6             5             2997           6369          4821        24.1k  0.05  
http_user_agent                   IPv4       6             5             2825          51062         30178       150.9k  0.34  
http_host                         IPv4       6             5             5155           8062          6689        33.4k  0.07  
dns_query                         IPv4      17             3             7787           8768          8164        24.5k  0.05  
http_response_line                IPv4       6             5             3400          10429          8105        40.5k  0.09  
http_header (response)            IPv4       6             5            15264         180105         68762       343.8k  0.77  
http_header (response trailer)    IPv4       6             5             2626          79862         24914       124.6k  0.28  
http_content_type (response)      IPv4       6             5             6027          13206          9114        45.6k  0.10  
http_raw_header (response)        IPv4       6           253             5424          15842          5931         1.5m  3.36  
http_cookie (response)            IPv4       6             5             2954           5056          3677        18.4k  0.04  
http_stat_code                    IPv4       6             5             2836           4560          3911        19.6k  0.04  
file_data (http response)         IPv4       6           248             2577        1255013         87623        21.7m  48.69 
Total                             IPv4                  1223                                         36403        44.5m
payload                           IPv6      17             9             3468          42236         12113       109.0k  0.24  
Total                             IPv6                     9                                         12113       109.0k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8             9180          67768         35890        287.1k  0.12  
PROF_DETECT_IPONLY          IPv4      17            12            37454          91470         52007        624.1k  0.25  
PROF_DETECT_RULES           IPv4       6           417             2543       12183286        189468         79.0m  31.93 
PROF_DETECT_RULES           IPv4      17            55            44902         287334        117933          6.5m  2.62  
PROF_DETECT_STATEFUL_START    IPv4       6           196             5110       10984273        189570         37.2m  15.01 
PROF_DETECT_STATEFUL_CONT    IPv4       6           417             2559          86056         11625          4.8m  1.96  
PROF_DETECT_STATEFUL_CONT    IPv4      17            55             2531          47343          4115        226.3k  0.09  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           401             2564          30059          2823          1.1m  0.46  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             6             2660           3201          2874         17.2k  0.01  
PROF_DETECT_PREFILTER       IPv4       6           417             7789        1679259        133731         55.8m  22.53 
PROF_DETECT_PREFILTER       IPv4      17            55            24061         240108         43177          2.4m  0.96  
PROF_DETECT_PF_PAYLOAD      IPv4       6           272            13282         731720         76932         20.9m  8.46  
PROF_DETECT_PF_PAYLOAD      IPv4      17            55             8530         216042         22962          1.3m  0.51  
PROF_DETECT_PF_TX           IPv4       6           401             2566        1270868         69569         27.9m  11.27 
PROF_DETECT_PF_TX           IPv4      17             3            13691          14689         14329         43.0k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           191             2545          17017          3845        734.5k  0.30  
PROF_DETECT_PF_SORT1        IPv4      17            55             2665          21104          3872        213.0k  0.09  
PROF_DETECT_PF_SORT2        IPv4       6           417             2538          19847          2939          1.2m  0.50  
PROF_DETECT_PF_SORT2        IPv4      17            55             2551          15292          3399        187.0k  0.08  
PROF_DETECT_NONMPMLIST      IPv4       6           417             2568          23264          2930          1.2m  0.49  
PROF_DETECT_NONMPMLIST      IPv4      17            55             2536           3660          2849        156.7k  0.06  
PROF_DETECT_ALERT           IPv4       6           417             2528          38419          2998          1.3m  0.51  
PROF_DETECT_ALERT           IPv4      17            55             2531          15380          3140        172.7k  0.07  
PROF_DETECT_CLEANUP         IPv4       6           417             2562          23855          3077          1.3m  0.52  
PROF_DETECT_CLEANUP         IPv4      17            55             2525           5803          2809        154.5k  0.06  
PROF_DETECT_GETSGH          IPv4       6           417             2523          22464          3047          1.3m  0.51  
PROF_DETECT_GETSGH          IPv4      17            55             2523          34097          4054        223.0k  0.09  
PROF_DETECT_IPONLY          IPv6      17             4             3687          22265         10915         43.7k  0.02  
PROF_DETECT_RULES           IPv6      17             9            34408         105991         59563        536.1k  0.22  
PROF_DETECT_STATEFUL_CONT    IPv6      17             9             2520           3604          2796         25.2k  0.01  
PROF_DETECT_PREFILTER       IPv6      17             9            24328          64998         37552        338.0k  0.14  
PROF_DETECT_PF_PAYLOAD      IPv6      17             9             8777          47568         18700        168.3k  0.07  
PROF_DETECT_PF_SORT1        IPv6      17             9             2674           4157          3254         29.3k  0.01  
PROF_DETECT_PF_SORT2        IPv6      17             9             2558           3541          2798         25.2k  0.01  
PROF_DETECT_NONMPMLIST      IPv6      17             9             2532           3311          2869         25.8k  0.01  
PROF_DETECT_ALERT           IPv6      17             9             2540           3319          2755         24.8k  0.01  
PROF_DETECT_CLEANUP         IPv6      17             9             2537           3835          3080         27.7k  0.01  
PROF_DETECT_GETSGH          IPv6      17             9             2750          23748          7940         71.5k  0.03

stats.log - (2910 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 1/29/2019 -- 13:10:42 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 603
decoder.bytes                              | Total                     | 350386
decoder.ipv4                               | Total                     | 467
decoder.ipv6                               | Total                     | 9
decoder.ethernet                           | Total                     | 603
decoder.tcp                                | Total                     | 412
decoder.udp                                | Total                     | 64
decoder.avg_pkt_size                       | Total                     | 581
decoder.max_pkt_size                       | Total                     | 1294
flow.tcp                                   | Total                     | 4
flow.udp                                   | Total                     | 13
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.rst                                    | Total                     | 3
detect.alert                               | Total                     | 5
detect.mpm_list                            | Total                     | 6
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 6
app_layer.flow.http                        | Total                     | 4
app_layer.tx.http                          | Total                     | 5
app_layer.flow.dns_udp                     | Total                     | 3
app_layer.tx.dns_udp                       | Total                     | 3
app_layer.flow.failed_udp                  | Total                     | 10
flow.spare                                 | Total                     | 9997
flow_mgr.flows_checked                     | Total                     | 8
flow_mgr.flows_notimeout                   | Total                     | 8
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65528
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076608

eve.json - (10380 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{"timestamp":"2019-01-29T12:55:26.995359+0000","flow_id":1289859431804959,"pcap_cnt":35,"event_type":"dns","src_ip":"192.168.100.177","src_port":63928,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14186,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-29T12:55:27.004740+0000","flow_id":1075164754154116,"pcap_cnt":36,"event_type":"dns","src_ip":"192.168.100.177","src_port":52074,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19613,"rrname":"dailydemand.in","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-29T12:55:27.015991+0000","flow_id":1289859431804959,"pcap_cnt":37,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":63928,"proto":"UDP","dns":{"type":"answer","id":14186,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":34,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-01-29T12:55:27.015991+0000","flow_id":1289859431804959,"pcap_cnt":37,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":63928,"proto":"UDP","dns":{"type":"answer","id":14186,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":59,"rdata":"a-0001.a-msedge.net"}}
{"timestamp":"2019-01-29T12:55:27.015991+0000","flow_id":1289859431804959,"pcap_cnt":37,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":63928,"proto":"UDP","dns":{"type":"answer","id":14186,"rcode":"NOERROR","rrname":"a-0001.a-msedge.net","rrtype":"A","ttl":53,"rdata":"204.79.197.200"}}
{"timestamp":"2019-01-29T12:55:27.015991+0000","flow_id":1289859431804959,"pcap_cnt":37,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":63928,"proto":"UDP","dns":{"type":"answer","id":14186,"rcode":"NOERROR","rrname":"a-0001.a-msedge.net","rrtype":"A","ttl":53,"rdata":"13.107.21.200"}}
{"timestamp":"2019-01-29T12:55:27.033958+0000","flow_id":1075164754154116,"pcap_cnt":39,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":52074,"proto":"UDP","dns":{"type":"answer","id":19613,"rcode":"NOERROR","rrname":"dailydemand.in","rrtype":"A","ttl":599,"rdata":"116.206.105.47"}}
{"timestamp":"2019-01-29T12:55:27.264984+0000","flow_id":1222587359119427,"pcap_cnt":51,"event_type":"http","src_ip":"192.168.100.177","src_port":49180,"dest_ip":"204.79.197.200","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.bing.com","url":"\/favicon.ico","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"image\/x-icon"}}
{"timestamp":"2019-01-29T12:55:27.456379+0000","flow_id":197000708459812,"pcap_cnt":78,"event_type":"alert","src_ip":"116.206.105.47","src_port":80,"dest_ip":"192.168.100.177","dest_port":49181,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2020657,"rev":2,"signature":"ET TROJAN Possible malicious Office doc hidden in XML file","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-29T12:56:19.275484+0000","flow_id":197000708459812,"pcap_cnt":237,"event_type":"http","src_ip":"192.168.100.177","src_port":49181,"dest_ip":"116.206.105.47","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"dailydemand.in","url":"\/Rechnungs\/012019\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/xml"}}
{"timestamp":"2019-01-29T12:56:30.304931+0000","flow_id":373867465844515,"pcap_cnt":245,"event_type":"dns","src_ip":"192.168.100.177","src_port":56935,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1215,"rrname":"www.kheiriehsalehin.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-29T12:56:30.318212+0000","flow_id":373867465844515,"pcap_cnt":246,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.177","dest_port":56935,"proto":"UDP","dns":{"type":"answer","id":1215,"rcode":"NOERROR","rrname":"www.kheiriehsalehin.com","rrtype":"A","ttl":2599,"rdata":"195.248.240.20"}}
{"timestamp":"2019-01-29T12:56:30.391518+0000","flow_id":893577836035420,"pcap_cnt":254,"event_type":"http","src_ip":"192.168.100.177","src_port":50121,"dest_ip":"195.248.240.20","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.kheiriehsalehin.com","url":"\/Mpsb3J4","http_content_type":"text\/html"}}
{"timestamp":"2019-01-29T12:56:30.437956+0000","flow_id":893577836035420,"pcap_cnt":256,"event_type":"fileinfo","src_ip":"195.248.240.20","src_port":80,"dest_ip":"192.168.100.177","dest_port":50121,"proto":"TCP","http":{"hostname":"www.kheiriehsalehin.com","url":"\/Mpsb3J4","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.kheiriehsalehin.com\/Mpsb3J4\/","length":1147},"app_proto":"http","fileinfo":{"filename":"\/Mpsb3J4","gaps":false,"state":"CLOSED","stored":false,"size":1147,"tx_id":0}}
{"timestamp":"2019-01-29T12:56:30.469442+0000","flow_id":893577836035420,"pcap_cnt":297,"event_type":"alert","src_ip":"195.248.240.20","src_port":80,"dest_ip":"192.168.100.177","dest_port":50121,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-29T12:56:30.469442+0000","flow_id":893577836035420,"pcap_cnt":297,"event_type":"alert","src_ip":"195.248.240.20","src_port":80,"dest_ip":"192.168.100.177","dest_port":50121,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-29T12:56:30.469442+0000","flow_id":893577836035420,"pcap_cnt":297,"event_type":"alert","src_ip":"195.248.240.20","src_port":80,"dest_ip":"192.168.100.177","dest_port":50121,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-29T12:56:30.535552+0000","flow_id":893577836035420,"pcap_cnt":509,"event_type":"http","src_ip":"192.168.100.177","src_port":50121,"dest_ip":"195.248.240.20","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.kheiriehsalehin.com","url":"\/Mpsb3J4\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2019-01-29T12:56:58.765307+0000","flow_id":1246280551756131,"pcap_cnt":534,"event_type":"alert","src_ip":"192.168.100.177","src_port":50430,"dest_ip":"181.143.99.26","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2830701,"rev":1,"signature":"ETPRO TROJAN W32\/Emotet CnC Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-29T12:56:58.765307+0000","flow_id":1246280551756131,"pcap_cnt":534,"event_type":"http","src_ip":"192.168.100.177","src_port":50430,"dest_ip":"181.143.99.26","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"181.143.99.26","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-29T12:58:24.459967+0000","flow_id":893577836035420,"event_type":"fileinfo","src_ip":"195.248.240.20","src_port":80,"dest_ip":"192.168.100.177","dest_port":50121,"proto":"TCP","http":{"hostname":"www.kheiriehsalehin.com","url":"\/Mpsb3J4\/","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":217307},"app_proto":"http","fileinfo":{"filename":"4j3xPBoQr.exe","gaps":false,"state":"CLOSED","stored":false,"size":217088,"tx_id":1}}
{"timestamp":"2019-01-29T12:58:24.459967+0000","flow_id":197000708459812,"event_type":"fileinfo","src_ip":"116.206.105.47","src_port":80,"dest_ip":"192.168.100.177","dest_port":49181,"proto":"TCP","http":{"hostname":"dailydemand.in","url":"\/Rechnungs\/012019\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":90774},"app_proto":"http","fileinfo":{"filename":"RECHNUNG_926633908660.doc","gaps":false,"state":"CLOSED","stored":false,"size":151045,"tx_id":0}}
{"timestamp":"2019-01-29T12:58:24.459967+0000","flow_id":1222587359119427,"event_type":"fileinfo","src_ip":"204.79.197.200","src_port":80,"dest_ip":"192.168.100.177","dest_port":49180,"proto":"TCP","http":{"hostname":"www.bing.com","url":"\/favicon.ico","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"image\/x-icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237},"app_proto":"http","fileinfo":{"filename":"\/favicon.ico","gaps":false,"state":"CLOSED","stored":false,"size":237,"tx_id":0}}
{"timestamp":"2019-01-29T12:58:24.459967+0000","flow_id":1246280551756131,"event_type":"fileinfo","src_ip":"181.143.99.26","src_port":80,"dest_ip":"192.168.100.177","dest_port":50430,"proto":"TCP","http":{"hostname":"181.143.99.26","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}

suricata-4.0.0-etpro-all-perf.txt-2019-01-29-T-13-10-42-01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap.txt - (52438 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/29/2019 -- 13:10:42. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2018958      1        18       9764199      12.95  3        0        9685887     3254733.00  0.00        3254733.00 
  2        2816927      1        3        9389403      12.45  3        0        9333429     3129801.00  0.00        3129801.00 
  3        2819664      1        2        5376770      7.13   30       0        378024      179225.67   0.00        179225.67  
  4        2819930      1        2        5066524      6.72   30       0        365976      168884.13   0.00        168884.13  
  5        2820157      1        2        3796226      5.03   24       0        318394      158176.08   0.00        158176.08  
  6        2820158      1        2        3746622      4.97   24       0        318285      156109.25   0.00        156109.25  
  7        2018342      1        2        235928       0.31   1        0        235928      235928.00   0.00        235928.00  
  8        2807932      1        6        432265       0.57   2        0        221463      216132.50   0.00        216132.50  
  9        2016855      1        2        212287       0.28   1        0        212287      212287.00   0.00        212287.00  
  10       2819940      1        3        638162       0.85   4        0        192319      159540.50   0.00        159540.50  
  11       2816510      1        3        623388       0.83   4        0        179310      155847.00   0.00        155847.00  
  12       2016854      1        3        169798       0.23   1        0        169798      169798.00   0.00        169798.00  
  13       2801929      1        7        688787       0.91   9        0        164423      76531.89    0.00        76531.89   
  14       2809747      1        2        136280       0.18   1        0        136280      136280.00   0.00        136280.00  
  15       2802991      1        5        472498       0.63   5        0        130633      94499.60    0.00        94499.60   
  16       2801930      1        7        655208       0.87   9        0        130351      72800.89    0.00        72800.89   
  17       2802987      1        5        585915       0.78   8        0        126033      73239.38    0.00        73239.38   
  18       2803027      1        6        512338       0.68   6        0        125554      85389.67    0.00        85389.67   
  19       2830701      1        1        124416       0.16   1        1        124416      124416.00   124416.00   0.00       
  20       2808234      1        1        192608       0.26   3        0        117859      64202.67    0.00        64202.67   
  21       2018982      1        2        194477       0.26   3        0        117232      64825.67    0.00        64825.67   
  22       2804911      1        3        333177       0.44   9        0        115914      37019.67    0.00        37019.67   
  23       2819939      1        2        200493       0.27   2        0        113762      100246.50   0.00        100246.50  
  24       2805985      1        2        185330       0.25   3        0        105649      61776.67    0.00        61776.67   
  25       2020569      1        1        180854       0.24   3        0        104652      60284.67    0.00        60284.67   
  26       2816509      1        2        194048       0.26   2        0        104502      97024.00    0.00        97024.00   
  27       2807400      1        3        191598       0.25   3        0        103796      63866.00    0.00        63866.00   
  28       2022050      1        3        178194       0.24   3        0        103164      59398.00    0.00        59398.00   
  29       2829607      1        1        146719       0.19   3        1        101308      48906.33    101308.00   22705.50   
  30       2806020      1        2        100913       0.13   1        0        100913      100913.00   0.00        100913.00  
  31       2828008      1        2        134758       0.18   3        0        91691       44919.33    0.00        44919.33   
  32       2018358      1        7        168117       0.22   3        0        91087       56039.00    0.00        56039.00   
  33       2805348      1        4        744908       0.99   15       0        88256       49660.53    0.00        49660.53   
  34       2804906      1        3        87844        0.12   3        0        81695       29281.33    0.00        29281.33   
  35       2812950      1        2        81054        0.11   1        0        81054       81054.00    0.00        81054.00   
  36       2816910      1        2        200215       0.27   3        0        79023       66738.33    0.00        66738.33   
  37       2008575      1        5        1091722      1.45   151      0        76893       7229.95     0.00        7229.95    
  38       2022054      1        3        73401        0.10   1        0        73401       73401.00    0.00        73401.00   
  39       2016537      1        2        1959286      2.60   125      2        70804       15674.29    64423.00    14881.63   
  40       2021954      1        2        98794        0.13   3        0        69958       32931.33    0.00        32931.33   
  41       2816909      1        2        186628       0.25   3        0        67513       62209.33    0.00        62209.33   
  42       2017613      1        9        140513       0.19   3        0        65816       46837.67    0.00        46837.67   
  43       2809267      1        8        116639       0.15   3        0        64967       38879.67    0.00        38879.67   
  44       2816929      1        4        154418       0.20   3        0        64880       51472.67    0.00        51472.67   
  45       2816940      1        2        176418       0.23   3        0        62488       58806.00    0.00        58806.00   
  46       2812952      1        2        62437        0.08   1        0        62437       62437.00    0.00        62437.00   
  47       2827279      1        5        108943       0.14   3        0        62367       36314.33    0.00        36314.33   
  48       2018241      1        2        67603        0.09   3        0        62266       22534.33    0.00        22534.33   
  49       2812914      1        4        62260        0.08   1        0        62260       62260.00    0.00        62260.00   
  50       2812915      1        4        62094        0.08   1        0        62094       62094.00    0.00        62094.00   
  51       2019344      1        5        133933       0.18   3        0        61808       44644.33    0.00        44644.33   
  52       2025064      1        5        137796       0.18   3        0        61679       45932.00    0.00        45932.00   
  53       2812951      1        2        61585        0.08   1        0        61585       61585.00    0.00        61585.00   
  54       2009897      1        14       139074       0.18   3        0        60963       46358.00    0.00        46358.00   
  55       2830124      1        1        141776       0.19   3        0        60353       47258.67    0.00        47258.67   
  56       2010140      1        7        284134       0.38   53       0        59066       5361.02     0.00        5361.02    
  57       2821615      1        2        151439       0.20   4        0        58872       37859.75    0.00        37859.75   
  58       2011894      1        19       113848       0.15   3        0        58427       37949.33    0.00        37949.33   
  59       2008438      1        20       138984       0.18   3        0        57678       46328.00    0.00        46328.00   
  60       2819931      1        2        81960        0.11   2        0        57408       40980.00    0.00        40980.00   
  61       2012981      1        5        55878        0.07   1        0        55878       55878.00    0.00        55878.00   
  62       2023711      1        2        60630        0.08   3        0        55285       20210.00    0.00        20210.00   
  63       2819680      1        2        202385       0.27   4        0        54496       50596.25    0.00        50596.25   
  64       2804508      1        2        53437        0.07   1        0        53437       53437.00    0.00        53437.00   
  65       2018959      1        3        57984        0.08   3        1        52328       19328.00    52328.00    2828.00    
  66       2804907      1        3        104813       0.14   3        0        51111       34937.67    0.00        34937.67   
  67       2804927      1        2        53607        0.07   2        0        51028       26803.50    0.00        26803.50   
  68       2822979      1        3        50208        0.07   1        0        50208       50208.00    0.00        50208.00   
  69       2009909      1        10       129048       0.17   3        0        50173       43016.00    0.00        43016.00   
  70       2022339      1        2        49998        0.07   1        0        49998       49998.00    0.00        49998.00   
  71       2828122      1        2        121841       0.16   3        0        49853       40613.67    0.00        40613.67   
  72       2828060      1        4        94161        0.12   2        0        49829       47080.50    0.00        47080.50   
  73       2802881      1        3        52927        0.07   2        0        49814       26463.50    0.00        26463.50   
  74       2019881      1        3        113514       0.15   3        0        49747       37838.00    0.00        37838.00   
  75       2802880      1        3        78084        0.10   3        0        49612       26028.00    0.00        26028.00   
  76       2013352      1        4        55526        0.07   3        0        49431       18508.67    0.00        18508.67   
  77       2024777      1        2        203247       0.27   57       0        48832       3565.74     0.00        3565.74    
  78       2820851      1        5        123971       0.16   3        0        48769       41323.67    0.00        41323.67   
  79       2013441      1        9        123946       0.16   3        0        48605       41315.33    0.00        41315.33   
  80       2816525      1        10       122470       0.16   3        0        48249       40823.33    0.00        40823.33   
  81       2009028      1        11       53242        0.07   3        0        47191       17747.33    0.00        17747.33   
  82       2826256      1        2        156155       0.21   5        0        46226       31231.00    0.00        31231.00   
  83       2022609      1        2        84485        0.11   2        0        45266       42242.50    0.00        42242.50   
  84       2014353      1        6        50795        0.07   3        0        45081       16931.67    0.00        16931.67   
  85       2819673      1        4        99084        0.13   3        0        44339       33028.00    0.00        33028.00   
  86       2812091      1        1        59648        0.08   2        0        44117       29824.00    0.00        29824.00   
  87       2012115      1        6        46968        0.06   2        0        44106       23484.00    0.00        23484.00   
  88       2022502      1        4        86427        0.11   2        0        43651       43213.50    0.00        43213.50   
  89       2815201      1        2        43007        0.06   1        0        43007       43007.00    0.00        43007.00   
  90       2021067      1        2        42344        0.06   1        1        42344       42344.00    42344.00    0.00       
  91       2816327      1        4        112988       0.15   3        0        41509       37662.67    0.00        37662.67   
  92       2018452      1        15       115060       0.15   3        0        41477       38353.33    0.00        38353.33   
  93       2022207      1        4        41328        0.05   1        0        41328       41328.00    0.00        41328.00   
  94       2809850      1        2        65355        0.09   2        0        41276       32677.50    0.00        32677.50   
  95       2816165      1        5        159281       0.21   5        0        39920       31856.20    0.00        31856.20   
  96       2022197      1        3        39350        0.05   1        0        39350       39350.00    0.00        39350.00   
  97       2020657      1        2        39323        0.05   1        1        39323       39323.00    39323.00    0.00       
  98       2802990      1        5        48780        0.06   2        0        38490       24390.00    0.00        24390.00   
  99       2023291      1        2        58944        0.08   4        0        38385       14736.00    0.00        14736.00   
  100      2815817      1        5        97025        0.13   3        0        37749       32341.67    0.00        32341.67   
  101      2815886      1        2        37609        0.05   1        0        37609       37609.00    0.00        37609.00   
  102      2016503      1        2        170556       0.23   11       0        36614       15505.09    0.00        15505.09   
  103      2014819      1        3        36520        0.05   1        0        36520       36520.00    0.00        36520.00   
  104      2008782      1        5        36418        0.05   1        0        36418       36418.00    0.00        36418.00   
  105      2819857      1        1        91068        0.12   3        0        36413       30356.00    0.00        30356.00   
  106      2815324      1        2        36344        0.05   1        0        36344       36344.00    0.00        36344.00   
  107      2821561      1        2        36163        0.05   1        0        36163       36163.00    0.00        36163.00   
  108      2023315      1        2        35210        0.05   1        0        35210       35210.00    0.00        35210.00   
  109      2014520      1        6        457546       0.61   104      1        35204       4399.48     10152.00    4343.63    
  110      2023083      1        2        62213        0.08   2        0        35191       31106.50    0.00        31106.50   
  111      2016538      1        3        41104        0.05   3        1        35177       13701.33    35177.00    2963.50    
  112      2022051      1        2        62200        0.08   3        0        34924       20733.33    0.00        20733.33   
  113      2019345      1        2        450203       0.60   30       0        34882       15006.77    0.00        15006.77   
  114      2022503      1        2        34819        0.05   1        0        34819       34819.00    0.00        34819.00   
  115      2806802      1        2        595804       0.79   30       0        34635       19860.13    0.00        19860.13   
  116      2830035      1        2        79243        0.11   3        0        34502       26414.33    0.00        26414.33   
  117      2014519      1        7        286524       0.38   19       0        34372       15080.21    0.00        15080.21   
  118      2022073      1        2        34316        0.05   1        0        34316       34316.00    0.00        34316.00   
  119      2022220      1        2        34278        0.05   1        0        34278       34278.00    0.00        34278.00   
  120      2018496      1        9        92437        0.12   3        0        34162       30812.33    0.00        30812.33   
  121      2805260      1        4        76766        0.10   3        0        34034       25588.67    0.00        25588.67   
  122      2023670      1        3        33891        0.04   1        0        33891       33891.00    0.00        33891.00   
  123      2828986      1        2        65627        0.09   2        0        33878       32813.50    0.00        32813.50   
  124      2816530      1        2        33732        0.04   1        0        33732       33732.00    0.00        33732.00   
  125      2003492      1        30       7

This file has been truncated. Go here to download in full.

keyword_perf.log - (15618 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/29/2019 -- 13:10:42
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             12867371        1123            1123            9293390         11458.00        11458.00        0.00           
  content          27911196        1090            543             9632776         25606.00        32393.00        18869.00       
  pcre             1382874         231             26              36542           5986.00         10191.00        5453.00        
  byte_test        533373          161             77              27239           3312.00         3525.00         3117.00        
  byte_jump        118775          40              34              4324            2969.00         2970.00         2963.00        
  isdataat         8691            3               0               3262            2897.00         0.00            2897.00        
  flowbits         1119264         386             32              24320           2899.00         3322.00         2861.00        
  urilen           233405          74              14              4291            3154.00         3192.00         3145.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             12867371        1123            1123            9293390         11458.00        11458.00        0.00           
  flowbits         1086753         380             26              24320           2859.00         2838.00         2861.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3718027         332             132             119113          11198.00        12569.00        10294.00       
  pcre             134482          8               2               34064           16810.00        12978.00        18087.00       
  byte_test        533373          161             77              27239           3312.00         3525.00         3117.00        
  byte_jump        97512           33              27              4324            2954.00         2953.00         2963.00        
  isdataat         8691            3               0               3262            2897.00         0.00            2897.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         32511           6               6               13837           5418.00         5418.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          141162          39              10              5533            3619.00         3551.00         3642.00        
  pcre             218538          22              3               26468           9933.00         11177.00        9737.00        
  urilen           233405          74              14              4291            3154.00         3192.00         3145.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11950           4               0               3105            2987.00         0.00            2987.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12756560        317             117             300455          40241.00        43351.00        38422.00       
  pcre             635420          163             0               36542           3898.00         0.00            3898.00        
  byte_jump        21263           7               7               3701            3037.00         3037.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10693384        248             185             9632776         43118.00        56301.00        4405.00        
  pcre             302605          30              14              26322           10086.00        9477.00         10620.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          185404          46              34              16708           4030.00         4233.00         3455.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3555            1               1               3555            3555.00         3555.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3063            1               1               3063            3063.00         3063.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14482           4               4               3746            3620.00         3620.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6697            2               2               3527            3348.00         3348.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3936            1               0               3936            3936.00         0.00            3936.00        
  pcre             19025           1               0               19025           19025.00        0.00            19025.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          41624           12              8               4159            3468.00         3751.00         2902.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             30680           1               1               30680           30680.00        30680.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          309732          77              48              15257           4022.00         4183.00         3756.00        
  pcre             42124           6               6               10610           7020.00         7020.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3529            1               0               3529            3529.00         0.00            3529.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18091           5               1               4687            3618.00         4687.00         3351.00

suricata-report-2019-01-29-T-13-10-42-01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap.txt - (17708 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/84f3840384e691279c7efe63a90bdb3156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap -vvv -k none
elapsedtime:20.781842
stderr:
stdout:
29/1/2019 -- 13:10:21 - <Info> - Configuration node 'rule-files' redefined.
29/1/2019 -- 13:10:21 - <Notice> - This is Suricata version 4.0.0 RELEASE
29/1/2019 -- 13:10:21 - <Info> - CPUs/cores online: 1
29/1/2019 -- 13:10:21 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32051 and 'request-body-inspect-window' set to 16830 after randomization.
29/1/2019 -- 13:10:21 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33602 and 'response-body-inspect-window' set to 17180 after randomization.
29/1/2019 -- 13:10:21 - <Config> - DNS request flood protection level: 500
29/1/2019 -- 13:10:21 - <Config> - DNS per flow memcap (state-memcap): 524288
29/1/2019 -- 13:10:21 - <Config> - DNS global memcap: 16777216
29/1/2019 -- 13:10:21 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
29/1/2019 -- 13:10:21 - <Config> - preallocated 1000 hosts of size 136
29/1/2019 -- 13:10:21 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
29/1/2019 -- 13:10:21 - <Config> - using magic-file /usr/share/file/magic
29/1/2019 -- 13:10:21 - <Config> - Core dump size is unlimited.
29/1/2019 -- 13:10:21 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
29/1/2019 -- 13:10:21 - <Config> - preallocated 1000 defrag trackers of size 168
29/1/2019 -- 13:10:21 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
29/1/2019 -- 13:10:21 - <Config> - stream "prealloc-sessions": 2048 (per thread)
29/1/2019 -- 13:10:21 - <Config> - stream "memcap": 33554432
29/1/2019 -- 13:10:21 - <Config> - stream "midstream" session pickups: disabled
29/1/2019 -- 13:10:21 - <Config> - stream "async-oneside": disabled
29/1/2019 -- 13:10:21 - <Config> - stream "checksum-validation": disabled
29/1/2019 -- 13:10:21 - <Config> - stream."inline": disabled
29/1/2019 -- 13:10:21 - <Config> - stream "bypass": disabled
29/1/2019 -- 13:10:21 - <Config> - stream "max-synack-queued": 5
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly "memcap": 134217728
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly "depth": 0
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly "toserver-chunk-size": 2569
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly "toclient-chunk-size": 2677
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly.raw: enabled
29/1/2019 -- 13:10:21 - <Config> - stream.reassembly "segment-prealloc": 2048
29/1/2019 -- 13:10:21 - <Config> - Delayed detect disabled
29/1/2019 -- 13:10:21 - <Config> - pattern matchers: MPM: ac, SPM: bm
29/1/2019 -- 13:10:21 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
29/1/2019 -- 13:10:21 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
29/1/2019 -- 13:10:21 - <Config> - prefilter engines: MPM
29/1/2019 -- 13:10:21 - <Config> - IP reputation disabled
29/1/2019 -- 13:10:21 - <Perf> - Registered 148 keyword profiling counters.
29/1/2019 -- 13:10:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
29/1/2019 -- 13:10:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
29/1/2019 -- 13:10:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
29/1/2019 -- 13:10:26 - <Config> - No rules loaded from ET-icmp.rules.
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
29/1/2019 -- 13:10:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
29/1/2019 -- 13:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
29/1/2019 -- 13:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
29/1/2019 -- 13:10:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
29/1/2019 -- 13:10:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
29/1/2019 -- 13:10:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
29/1/2019 -- 13:10:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
29/1/2019 -- 13:10:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
29/1/2019 -- 13:10:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
29/1/2019 -- 13:10:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
29/1/2019 -- 13:10:33 - <Config> - No rules loaded from local.rules.
29/1/2019 -- 13:10:33 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
29/1/2019 -- 13:10:33 - <Info> - Threshold config parsed: 0 rule(s) found
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tcp-packet
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tcp-stream
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for udp-packet
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for other-ip
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_uri
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_request_line
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_client_body
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_response_line
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_header
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_header
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_header_names
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_header_names
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_accept
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_accept_enc
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_accept_lang
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_referer
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_connection
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_content_len
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_content_len
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_content_type
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_content_type
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_protocol
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_protocol
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_start
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_start
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_raw_header
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_raw_header
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_method
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_cookie
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_cookie
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_raw_uri
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_user_agent
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_host
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_raw_host
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_stat_msg
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_stat_code
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for dns_query
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tls_sni
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tls_cert_issuer
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tls_cert_subject
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for tls_cert_serial
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for dce_stub_data
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for dce_stub_data
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for ssh_protocol
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for ssh_protocol
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for ssh_software
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for ssh_software
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for file_data
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for file_data
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_request_line
29/1/2019 -- 13:10:34 - <Perf> - using shared mpm ctx' for http_response_line
29/1/2019 -- 13:10:34 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
29/1/2019 -- 13:10:34 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
29/1/2019 -- 13:10:34 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
29/1/2019 -- 13:10:34 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
29/1/2019 -- 13:10:34 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
29/1/2019 -- 13:10:34 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
29/1/2019 -- 13:10:34 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
29/1/2019 -- 13:10:34 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
29/1/2019 -- 13:10:38 - <Perf> - Unique rule groups: 104
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toserver TCP packet": 35
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toclient TCP packet": 17
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toserver TCP stream": 33
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toclient TCP stream": 19
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toserver UDP packet": 27
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "toclient UDP packet": 17
29/1/2019 -- 13:10:38 - <Perf> - Builtin MPM "other IP packet": 3
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_uri": 14
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_request_line": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_client_body": 6
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_response_line": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_header": 10
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_header": 6
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_header_names": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_accept": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_referer": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_content_len": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_content_type": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_content_type": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_protocol": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_start": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_method": 5
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_cookie": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_cookie": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver http_host": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver dns_query": 4
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver tls_sni": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toserver file_data": 1
29/1/2019 -- 13:10:38 - <Perf> - AppLayer MPM "toclient file_data": 7
29/1/2019 -- 13:10:40 - <Perf> - Registered 39590 rule profiling counters.
29/1/2019 -- 13:10:40 - <Info> - fast output device (regular) initialized: alert
29/1/2019 -- 13:10:40 - <Info> - eve-log output device (regular) initialized: eve.json
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'alert'
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'http'
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'dns'
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'tls'
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'files'
29/1/2019 -- 13:10:40 - <Config> - enabling 'eve-log' module 'ssh'
29/1/2019 -- 13:10:40 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
29/1/2019 -- 13:10:40 - <Info> - stats output device (regular) initialized: stats.log
29/1/2019 -- 13:10:40 - <Config> - AutoFP mode using "Hash" flow load balancer
29/1/2019 -- 13:10:40 - <Info> - reading pcap file /var/pcap/01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap
29/1/2019 -- 13:10:40 - <Config> - us

This file has been truncated. Go here to download in full.

IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2019-01-29 13:10:20,782 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-29 13:10:21,512 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-29 13:10:21,512 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-29 13:10:21,513 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-29 13:10:21,513 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-29 13:10:21,513 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/84f3840384e691279c7efe63a90bdb3156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01292019.1310-1658ecc0-acfd-4872-b590-a3146940a21c.pcap -vvv -k none
2019-01-29 13:10:42,297 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-29 13:10:42,298 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.5252399445