Filename: merged.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: test-test
Runtime: 3.42346692085 seconds
Hash: 8ebee8edebf9bc5c355a5c219c92344f
Uploaded: 1510153021

Logfiles


packet_stats.log - (9170 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1             2         11051295       11621712      11336503         22.7m    2.50
 IPv4       6            34          1996203       32416671      15783605        536.6m   59.16
 IPv4      17            33          1794759       15858045      10538092        347.8m   38.34
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1             2            33597          49224         41410         82.8k    0.26
TMM_FLOWWORKER              IPv4       6            34            67668       14992614        520856         17.7m   55.67
TMM_FLOWWORKER              IPv4      17            33            72435        6597606        408222         13.5m   42.35
TMM_RECEIVEPCAPFILE         IPv4       1             2             3165           3615          3390          6.8k    0.02
TMM_RECEIVEPCAPFILE         IPv4       6            34             2856           4389          3354        114.0k    0.36
TMM_RECEIVEPCAPFILE         IPv4      17            33             2865          32907          4312        142.3k    0.45
TMM_DECODEPCAPFILE          IPv4       1             2             3222          17481         10351         20.7k    0.07
TMM_DECODEPCAPFILE          IPv4       6            34             2820           5619          3536        120.2k    0.38
TMM_DECODEPCAPFILE          IPv4      17            33             2844          31929          4347        143.5k    0.45

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1             2             3849           6189          5019         10.0k  0.05  
flow                    IPv4       6            34             2874           6525          3477        118.2k  0.57  
flow                    IPv4      17            33             2931           8628          3869        127.7k  0.62  
stream                  IPv4       6            34             2625          18123          3295        112.1k  0.54  
app-layer               IPv4      17            33             2619          26970         11507        379.8k  1.83  
detect                  IPv4       1             2            19752          29496         24624         49.2k  0.24  
detect                  IPv4       6            34            45597       14960325        497212         16.9m  81.56 
detect                  IPv4      17            33            55821         185469         88806          2.9m  14.14 
tcp-prune               IPv4       6            34             2571           3615          2778         94.5k  0.46  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17            20             3333          11172          6185        123.7k  100.00
Proto detect            IPv4      17            24             2835           8694          4353        104.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4      17             8            19524         202992         44814        358.5k  3.78  
LOGGER_UNIFIED2             IPv4      17             8            29877         385908         75850        606.8k  6.39  
LOGGER_JSON_ALERT           IPv4      17             8            69501        5691201        789268          6.3m  66.49 
LOGGER_JSON_DNS             IPv4      17            20            33189         427113        110818          2.2m  23.34 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            11             3273          11268          6446        70.9k  20.41 
payload                           IPv4      17            33             2919           7980          4169       137.6k  39.60 
stream                            IPv4       6            11             3099          40716          8733        96.1k  27.65 
dns_query                         IPv4      17            10             3123           8247          4290        42.9k  12.35 
Total                             IPv4                    65                                          5345       347.5k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            16             2670           3213          2810         45.0k  0.23  
PROF_DETECT_IPONLY          IPv4      17            25             2670           6102          3143         78.6k  0.41  
PROF_DETECT_RULES           IPv4       6            34             2595           3423          2733         92.9k  0.48  
PROF_DETECT_RULES           IPv4      17            33             2601          56106         12545        414.0k  2.16  
PROF_DETECT_STATEFUL_START    IPv4      17             8            17715          35946         23002        184.0k  0.96  
PROF_DETECT_STATEFUL_CONT    IPv4       6            34             2598           2886          2752         93.6k  0.49  
PROF_DETECT_STATEFUL_CONT    IPv4      17            33             2604          13629          3273        108.0k  0.56  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            20             2643           3687          2810         56.2k  0.29  
PROF_DETECT_PREFILTER       IPv4       6            34             7884         109557         18114        615.9k  3.21  
PROF_DETECT_PREFILTER       IPv4      17            33            18882          45423         25725        849.0k  4.43  
PROF_DETECT_PF_PAYLOAD      IPv4       6            11            14334          94626         26293        289.2k  1.51  
PROF_DETECT_PF_PAYLOAD      IPv4      17            33             8205          14058          9528        314.4k  1.64  
PROF_DETECT_PF_TX           IPv4      17            10             8661          15471         10102        101.0k  0.53  
PROF_DETECT_PF_SORT1        IPv4      17             8             2634           2955          2706         21.7k  0.11  
PROF_DETECT_PF_SORT2        IPv4       6            34             2571          16188          3079        104.7k  0.55  
PROF_DETECT_PF_SORT2        IPv4      17            33             2577           3129          2704         89.3k  0.47  
PROF_DETECT_NONMPMLIST      IPv4       6            34             2589       14807193        438203         14.9m  77.66 
PROF_DETECT_NONMPMLIST      IPv4      17            33             2592           3381          2753         90.8k  0.47  
PROF_DETECT_ALERT           IPv4       1             2             2820           4341          3580          7.2k  0.04  
PROF_DETECT_ALERT           IPv4       6            34             2601           4416          2696         91.7k  0.48  
PROF_DETECT_ALERT           IPv4      17            33             2598          10887          3140        103.7k  0.54  
PROF_DETECT_CLEANUP         IPv4       1             2             2751           4476          3613          7.2k  0.04  
PROF_DETECT_CLEANUP         IPv4       6            34             2601           4515          2872         97.7k  0.51  
PROF_DETECT_CLEANUP         IPv4      17            33             2598           6072          3200        105.6k  0.55  
PROF_DETECT_GETSGH          IPv4       1             2             2832           4041          3436          6.9k  0.04  
PROF_DETECT_GETSGH          IPv4       6            34             2757           5784          4097        139.3k  0.73  
PROF_DETECT_GETSGH          IPv4      17            33             2643          17931          5373        177.3k  0.92  


suricata-4.0.0-test-test-perf.txt-2017-11-08-T-14-57-05-11082017.1438-merged.pcap.txt - (726 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------
  Date: 11/8/2017 -- 14:57:05. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1            1        1        161880       58.26  8        8        32967       20235.00    20235.00    0.00       
  2        3            1        1        115956       41.74  8        8        15870       14494.50    14494.50    0.00       


stats.log - (2007 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
------------------------------------------------------------------------------------
Date: 11/8/2017 -- 14:57:05 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 73
decoder.bytes                              | Total                     | 9806
decoder.ipv4                               | Total                     | 69
decoder.ethernet                           | Total                     | 73
decoder.tcp                                | Total                     | 34
decoder.udp                                | Total                     | 33
decoder.icmpv4                             | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 134
decoder.max_pkt_size                       | Total                     | 1035
flow.tcp                                   | Total                     | 8
flow.udp                                   | Total                     | 14
detect.alert                               | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 10
app_layer.tx.dns_udp                       | Total                     | 10
app_layer.flow.failed_udp                  | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7080640


eve.json - (28166 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
{"timestamp":"2017-11-02T14:05:54.494012+0000","flow_id":866314872850876,"pcap_cnt":16,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Suri 4 FP Test - generates fp - content, dns_query","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2017-11-02T14:05:54.494012+0000","flow_id":866314872850876,"pcap_cnt":16,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","app_proto":"dns","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3,"rev":1,"signature":"Suri 4 FP Test - generates fp - dns_query, pkt_data, content","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-11-02T14:05:54.494012+0000","flow_id":866314872850876,"pcap_cnt":16,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.494038+0000","flow_id":1812811848255958,"pcap_cnt":17,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Suri 4 FP Test - generates fp - content, dns_query","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2017-11-02T14:05:54.494038+0000","flow_id":1812811848255958,"pcap_cnt":17,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","app_proto":"dns","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3,"rev":1,"signature":"Suri 4 FP Test - generates fp - dns_query, pkt_data, content","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-11-02T14:05:54.494038+0000","flow_id":1812811848255958,"pcap_cnt":17,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.494050+0000","flow_id":2155782166710754,"pcap_cnt":18,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Suri 4 FP Test - generates fp - content, dns_query","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2017-11-02T14:05:54.494050+0000","flow_id":2155782166710754,"pcap_cnt":18,"event_type":"alert","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","app_proto":"dns","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3,"rev":1,"signature":"Suri 4 FP Test - generates fp - dns_query, pkt_data, content","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-11-02T14:05:54.494050+0000","flow_id":2155782166710754,"pcap_cnt":18,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.254"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.234"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.226"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.158"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.222"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.250"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":2155782166710754,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.210"}}
{"timestamp":"2017-11-02T14:05:54.534085+0000","flow_id":1760131926861381,"pcap_cnt":20,"event_type":"alert","src_ip":"172.16.0.109","src_port":49513,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":1,"signature":"Suri 4 FP Test - generates fp - content, dns_query","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2017-11-02T14:05:54.534085+0000","flow_id":1760131926861381,"pcap_cnt":20,"event_type":"alert","src_ip":"172.16.0.109","src_port":49513,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","app_proto":"dns","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3,"rev":1,"signature":"Suri 4 FP Test - generates fp - dns_query, pkt_data, content","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-11-02T14:05:54.534085+0000","flow_id":1760131926861381,"pcap_cnt":20,"event_type":"dns","src_ip":"172.16.0.109","src_port":49513,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20382,"rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.32.70"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.2"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.117.182"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.122"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.54"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.162"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.33.46"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.74"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.33.18"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":866314872850876,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.32.42"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.54"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.162"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.33.18"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.33.46"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.117.182"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.32.70"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.122"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.32.42"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.74"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1812811848255958,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.2"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:000e:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:001c:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0013:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0012:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0010:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0011:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1760131926861381,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:000d:0000

This file has been truncated. Go here to download in full.


unified2.alert.1510153023 - (3040 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
4Yû&B‰¼¬mP65zYû&BYû&B‰¼^çÝJüø®ÏyÅEP*S@@S½¬mP65<Ùü$åedge
static-assetstopcomcastnet4Yû&B‰¼¬mP65zYû&BYû&B‰¼^çÝJüø®ÏyÅEP*S@@S½¬mP65<Ùü$åedge
static-assetstopcomcastnet4Yû&B‰Ö¬mP65zYû&BYû&B‰Ö^çÝJüø®ÏyÅEPí@@q'¬mP65<Þ$åedge
static-assetstopcomcastnet4Yû&B‰Ö¬mP65zYû&BYû&B‰Ö^çÝJüø®ÏyÅEPí@@q'¬mP65<Þ$åedge
static-assetstopcomcastnet4Yû&B‰â¬m¬P65zYû&BYû&B‰â^çÝJüø®ÏyÅEP&r@@»œ¬m¬P65<=û$åedge
static-assetstopcomcastnet4Yû&B‰â¬m¬P65zYû&BYû&B‰â^çÝJüø®ÏyÅEP&r@@»œ¬m¬P65<=û$åedge
static-assetstopcomcastnet4Yû&B&E¬m¬Ái5zYû&BYû&B&E^çÝJüø®ÏyÅEP&u@@»™¬m¬Ái5<¡óOžedge
static-assetstopcomcastnet4Yû&B&E¬m¬Ái5zYû&BYû&B&E^çÝJüø®ÏyÅEP&u@@»™¬m¬Ái5<¡óOžedge
static-assetstopcomcastnet4	Yû&BÉë¬m¬üú5z	Yû&BYû&BÉë^çÝJüø®ÏyÅEP&y@@»•¬m¬üú5<­žoedge
static-assetstopcomcastnet4
Yû&BÉë¬m¬üú5z
Yû&BYû&BÉë^çÝJüø®ÏyÅEP&y@@»•¬m¬üú5<­žoedge
static-assetstopcomcastnet4Yû&J
uj¬m¬Ç=5zYû&JYû&J
uj^çÝJüø®ÏyÅEP,×@@µ7¬m¬Ç=5<¬!?·edge
static-assetstopcomcastnet4Yû&J
uj¬m¬Ç=5zYû&JYû&J
uj^çÝJüø®ÏyÅEP,×@@µ7¬m¬Ç=5<¬!?·edge
static-assetstopcomcastnet4
Yû&J
‹Û¬m¬Î	5z
Yû&JYû&J
‹Û^çÝJüø®ÏyÅEP,Ø@@µ6¬m¬Î	5<EîŸedge
static-assetstopcomcastnet4Yû&J
‹Û¬m¬Î	5zYû&JYû&J
‹Û^çÝJüø®ÏyÅEP,Ø@@µ6¬m¬Î	5<EîŸedge
static-assetstopcomcastnet4Yû&J
¢ž¬m¬j¦5zYû&JYû&J
¢ž^çÝJüø®ÏyÅEP,Ú@@µ4¬m¬j¦5<S5õ,edge
static-assetstopcomcastnet4Yû&J
¢ž¬m¬j¦5zYû&JYû&J
¢ž^çÝJüø®ÏyÅEP,Ú@@µ4¬m¬j¦5<S5õ,edge
static-assetstopcomcastnet


suricata-4.0.0-test-test-alert-2017-11-08-T-14-57-05-11082017.1438-merged.pcap.txt - (3284 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
11/02/2017-14:05:54.494012  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 8.8.8.8:53
11/02/2017-14:05:54.494012  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 8.8.8.8:53
11/02/2017-14:05:54.494038  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 8.8.4.4:53
11/02/2017-14:05:54.494038  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 8.8.4.4:53
11/02/2017-14:05:54.494050  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 172.16.0.1:53
11/02/2017-14:05:54.494050  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:20534 -> 172.16.0.1:53
11/02/2017-14:05:54.534085  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:49513 -> 172.16.0.1:53
11/02/2017-14:05:54.534085  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:49513 -> 172.16.0.1:53
11/02/2017-14:05:54.575979  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:64762 -> 172.16.0.1:53
11/02/2017-14:05:54.575979  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:64762 -> 172.16.0.1:53
11/02/2017-14:06:02.882026  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:51005 -> 172.16.0.1:53
11/02/2017-14:06:02.882026  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:51005 -> 172.16.0.1:53
11/02/2017-14:06:02.887771  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:52745 -> 172.16.0.1:53
11/02/2017-14:06:02.887771  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:52745 -> 172.16.0.1:53
11/02/2017-14:06:02.893598  [**] [1:1:1] Suri 4 FP Test - generates fp - content, dns_query [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:27302 -> 172.16.0.1:53
11/02/2017-14:06:02.893598  [**] [1:3:1] Suri 4 FP Test - generates fp - dns_query, pkt_data, content [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 172.16.0.109:27302 -> 172.16.0.1:53


keyword_perf.log - (1516 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/8/2017 -- 14:57:05
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          70455           16              16              19581           4403.00         4403.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          70455           16              16              19581           4403.00         4403.00         0.00           


suricata-report-2017-11-08-T-14-57-05-11082017.1438-merged.pcap.txt - (10893 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/f0hyWU -l /var/www/html/8ebee8edebf9bc5c355a5c219c92344f9c2f9e8a71f573fafdf7e036e6d79be5 -r /var/pcap/11082017.1438-merged.pcap -vvv -k none
elapsedtime:1.706131
stderr:
stdout:
8/11/2017 -- 14:57:03 - <Notice> - This is Suricata version 4.0.0 RELEASE
8/11/2017 -- 14:57:03 - <Info> - CPUs/cores online: 1
8/11/2017 -- 14:57:03 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31891 and 'request-body-inspect-window' set to 15933 after randomization.
8/11/2017 -- 14:57:03 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31723 and 'response-body-inspect-window' set to 15858 after randomization.
8/11/2017 -- 14:57:03 - <Config> - DNS request flood protection level: 500
8/11/2017 -- 14:57:03 - <Config> - DNS per flow memcap (state-memcap): 524288
8/11/2017 -- 14:57:03 - <Config> - DNS global memcap: 16777216
8/11/2017 -- 14:57:03 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
8/11/2017 -- 14:57:03 - <Config> - preallocated 1000 hosts of size 136
8/11/2017 -- 14:57:03 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:57:03 - <Config> - using magic-file /usr/share/file/magic
8/11/2017 -- 14:57:03 - <Config> - Core dump size is unlimited.
8/11/2017 -- 14:57:03 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
8/11/2017 -- 14:57:03 - <Config> - preallocated 1000 defrag trackers of size 168
8/11/2017 -- 14:57:03 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
8/11/2017 -- 14:57:03 - <Config> - stream "prealloc-sessions": 2048 (per thread)
8/11/2017 -- 14:57:03 - <Config> - stream "memcap": 33554432
8/11/2017 -- 14:57:03 - <Config> - stream "midstream" session pickups: disabled
8/11/2017 -- 14:57:03 - <Config> - stream "async-oneside": disabled
8/11/2017 -- 14:57:03 - <Config> - stream "checksum-validation": disabled
8/11/2017 -- 14:57:03 - <Config> - stream."inline": disabled
8/11/2017 -- 14:57:03 - <Config> - stream "bypass": disabled
8/11/2017 -- 14:57:03 - <Config> - stream "max-synack-queued": 5
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly "memcap": 134217728
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly "depth": 0
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly "toserver-chunk-size": 2489
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly "toclient-chunk-size": 2498
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly.raw: enabled
8/11/2017 -- 14:57:03 - <Config> - stream.reassembly "segment-prealloc": 2048
8/11/2017 -- 14:57:03 - <Config> - Delayed detect disabled
8/11/2017 -- 14:57:03 - <Config> - pattern matchers: MPM: ac, SPM: bm
8/11/2017 -- 14:57:03 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
8/11/2017 -- 14:57:03 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
8/11/2017 -- 14:57:03 - <Config> - prefilter engines: MPM
8/11/2017 -- 14:57:03 - <Config> - IP reputation disabled
8/11/2017 -- 14:57:03 - <Perf> - Registered 148 keyword profiling counters.
8/11/2017 -- 14:57:03 - <Config> - Loading rule file: /tmp/tmpu0MFZ5
8/11/2017 -- 14:57:03 - <Info> - 1 rule files processed. 3 rules successfully loaded, 0 rules failed
8/11/2017 -- 14:57:03 - <Info> - Threshold config parsed: 0 rule(s) found
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tcp-packet
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tcp-stream
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for udp-packet
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for other-ip
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_uri
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_request_line
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_client_body
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_response_line
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_header
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_header
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_header_names
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_header_names
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_accept
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_accept_enc
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_accept_lang
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_referer
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_connection
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_content_len
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_content_len
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_content_type
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_content_type
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_protocol
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_protocol
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_start
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_start
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_raw_header
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_raw_header
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_method
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_cookie
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_cookie
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_raw_uri
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_user_agent
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_host
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_raw_host
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_stat_msg
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_stat_code
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for dns_query
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tls_sni
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tls_cert_issuer
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tls_cert_subject
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for tls_cert_serial
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for dce_stub_data
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for dce_stub_data
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for ssh_protocol
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for ssh_protocol
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for ssh_software
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for ssh_software
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for file_data
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for file_data
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_request_line
8/11/2017 -- 14:57:03 - <Perf> - using shared mpm ctx' for http_response_line
8/11/2017 -- 14:57:03 - <Info> - 3 signatures processed. 0 are IP-only rules, 3 are inspecting packet payload, 3 inspect application layer, 0 are decoder event only
8/11/2017 -- 14:57:03 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
8/11/2017 -- 14:57:03 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - TCP toclient: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - UDP toserver: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - UDP toclient: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
8/11/2017 -- 14:57:03 - <Perf> - Unique rule groups: 4
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toserver TCP packet": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toclient TCP packet": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toserver TCP stream": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toclient TCP stream": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toserver UDP packet": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "toclient UDP packet": 1
8/11/2017 -- 14:57:03 - <Perf> - Builtin MPM "other IP packet": 0
8/11/2017 -- 14:57:03 - <Perf> - AppLayer MPM "toserver dns_query": 1
8/11/2017 -- 14:57:03 - <Perf> - Registered 3 rule profiling counters.
8/11/2017 -- 14:57:03 - <Info> - fast output device (regular) initialized: alert
8/11/2017 -- 14:57:03 - <Info> - eve-log output device (regular) initialized: eve.json
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'alert'
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'http'
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'dns'
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'tls'
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'files'
8/11/2017 -- 14:57:03 - <Config> - enabling 'eve-log' module 'ssh'
8/11/2017 -- 14:57:03 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
8/11/2017 -- 14:57:03 - <Info> - stats output device (regular) initialized: stats.log
8/11/2017 -- 14:57:03 - <Config> - AutoFP mode using "Hash" flow load balancer
8/11/2017 -- 14:57:03 - <Info> - reading pcap file /var/pcap/11082017.1438-merged.pcap
8/11/2017 -- 14:57:03 - <Config> - using 1 flow manager threads
8/11/2017 -- 14:57:03 - <Config> - using 1 flow recycler threads
8/11/2017 -- 14:57:03 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
8/11/2017 -- 14:57:03 - <Info> - pcap file end of file reached (pcap err code 0)
8/11/2017 -- 14:57:03 - <Notice> - Signal Received.  Stopping engine.
8/11/2017 -- 14:57:04 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
8/11/2017 -- 14:57:04 - <Info> - time elapsed 0.642s
8/11/2017 -- 14:57:05 - <Perf> - 22 flows processed
8/11/2017 -- 14:57:05 - <Notice> - Pcap-file module read 73 packets, 9806 bytes
8/11/2017 -- 14:57:05 - <Perf> - AutoFP - Total flow handler queues - 1
8/11/2017 -- 14:57:05 - <Info> - Alerts: 16
8/11/2017 -- 14:57:05 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:57:05 - <Perf> - Done dumping profiling data.
8/11/2017 -- 14:57:05 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:57:05 - <Perf> - Dumping profiling data for 3 rules.
8/11/2017 -- 14:57:05 - <Perf> - Done dumping profiling data.
8/11/2017 -- 14:57:05 - <Perf> - Done dumping keyword profiling data.
8/11/2017 -- 14:57:05 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:


IDSDeathBlossom.py.log - (1242 bytes) - download
1
2
3
4
5
6
7
8
9
2017-11-08 14:57:02,002 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2017-11-08 14:57:03,311 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2017-11-08 14:57:03,311 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-test-test
2017-11-08 14:57:03,315 - INFO - generate_config - /opt/IDSDeathBlossom/IDSDeathBlossom.py +162 - Loading glob result: ['/tmp/tmpu0MFZ5']
2017-11-08 14:57:03,315 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2017-11-08 14:57:03,315 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2017-11-08 14:57:03,316 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /tmp/f0hyWU -l /var/www/html/8ebee8edebf9bc5c355a5c219c92344f9c2f9e8a71f573fafdf7e036e6d79be5 -r /var/pcap/11082017.1438-merged.pcap -vvv -k none
2017-11-08 14:57:05,024 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2017-11-08 14:57:05,026 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 3.04246115685