Filename: merged.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: test-test
Runtime: 3.6290807724 seconds
Hash: 8ebee8edebf9bc5c355a5c219c92344f
Uploaded: 1510151895

Logfiles


suricata-4.0.0-test-test-perf.txt-2017-11-08-T-14-38-19-11082017.1438-merged.pcap.txt - (470 bytes) - download
1
2
3
4
5
  --------------------------------------------------------------------------
  Date: 11/8/2017 -- 14:38:19. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 


suricata-report-2017-11-08-T-14-38-19-11082017.1438-merged.pcap.txt - (10822 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/NW7hnj -l /var/www/html/8ebee8edebf9bc5c355a5c219c92344fc440fbbd267787ae6af9eb4aa43e8947 -r /var/pcap/11082017.1438-merged.pcap -vvv -k none
elapsedtime:2.009980
stderr:
stdout:
8/11/2017 -- 14:38:17 - <Notice> - This is Suricata version 4.0.0 RELEASE
8/11/2017 -- 14:38:17 - <Info> - CPUs/cores online: 1
8/11/2017 -- 14:38:17 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32768 and 'request-body-inspect-window' set to 16054 after randomization.
8/11/2017 -- 14:38:17 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31775 and 'response-body-inspect-window' set to 16310 after randomization.
8/11/2017 -- 14:38:17 - <Config> - DNS request flood protection level: 500
8/11/2017 -- 14:38:17 - <Config> - DNS per flow memcap (state-memcap): 524288
8/11/2017 -- 14:38:17 - <Config> - DNS global memcap: 16777216
8/11/2017 -- 14:38:17 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
8/11/2017 -- 14:38:17 - <Config> - preallocated 1000 hosts of size 136
8/11/2017 -- 14:38:17 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:38:17 - <Config> - using magic-file /usr/share/file/magic
8/11/2017 -- 14:38:17 - <Config> - Core dump size is unlimited.
8/11/2017 -- 14:38:17 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
8/11/2017 -- 14:38:17 - <Config> - preallocated 1000 defrag trackers of size 168
8/11/2017 -- 14:38:17 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
8/11/2017 -- 14:38:17 - <Config> - stream "prealloc-sessions": 2048 (per thread)
8/11/2017 -- 14:38:17 - <Config> - stream "memcap": 33554432
8/11/2017 -- 14:38:17 - <Config> - stream "midstream" session pickups: disabled
8/11/2017 -- 14:38:17 - <Config> - stream "async-oneside": disabled
8/11/2017 -- 14:38:17 - <Config> - stream "checksum-validation": disabled
8/11/2017 -- 14:38:17 - <Config> - stream."inline": disabled
8/11/2017 -- 14:38:17 - <Config> - stream "bypass": disabled
8/11/2017 -- 14:38:17 - <Config> - stream "max-synack-queued": 5
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly "memcap": 134217728
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly "depth": 0
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly "toserver-chunk-size": 2558
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly "toclient-chunk-size": 2489
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly.raw: enabled
8/11/2017 -- 14:38:17 - <Config> - stream.reassembly "segment-prealloc": 2048
8/11/2017 -- 14:38:17 - <Config> - Delayed detect disabled
8/11/2017 -- 14:38:17 - <Config> - pattern matchers: MPM: ac, SPM: bm
8/11/2017 -- 14:38:17 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
8/11/2017 -- 14:38:17 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
8/11/2017 -- 14:38:17 - <Config> - prefilter engines: MPM
8/11/2017 -- 14:38:17 - <Config> - IP reputation disabled
8/11/2017 -- 14:38:17 - <Perf> - Registered 148 keyword profiling counters.
8/11/2017 -- 14:38:17 - <Config> - Loading rule file: /tmp/tmp_SBmma
8/11/2017 -- 14:38:17 - <Info> - 1 rule files processed. 3 rules successfully loaded, 0 rules failed
8/11/2017 -- 14:38:17 - <Info> - Threshold config parsed: 0 rule(s) found
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tcp-packet
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tcp-stream
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for udp-packet
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for other-ip
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_uri
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_request_line
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_client_body
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_response_line
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_header
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_header
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_header_names
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_header_names
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_accept
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_accept_enc
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_accept_lang
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_referer
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_connection
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_content_len
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_content_len
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_content_type
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_content_type
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_protocol
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_protocol
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_start
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_start
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_raw_header
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_raw_header
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_method
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_cookie
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_cookie
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_raw_uri
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_user_agent
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_host
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_raw_host
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_stat_msg
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_stat_code
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for dns_query
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tls_sni
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tls_cert_issuer
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tls_cert_subject
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for tls_cert_serial
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for dce_stub_data
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for dce_stub_data
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for ssh_protocol
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for ssh_protocol
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for ssh_software
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for ssh_software
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for file_data
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for file_data
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_request_line
8/11/2017 -- 14:38:17 - <Perf> - using shared mpm ctx' for http_response_line
8/11/2017 -- 14:38:17 - <Info> - 3 signatures processed. 0 are IP-only rules, 3 are inspecting packet payload, 3 inspect application layer, 0 are decoder event only
8/11/2017 -- 14:38:17 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
8/11/2017 -- 14:38:17 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - TCP toclient: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - UDP toserver: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - UDP toclient: 1 port groups, 1 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
8/11/2017 -- 14:38:17 - <Perf> - Unique rule groups: 4
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toserver TCP packet": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toclient TCP packet": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toserver TCP stream": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toclient TCP stream": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toserver UDP packet": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "toclient UDP packet": 1
8/11/2017 -- 14:38:17 - <Perf> - Builtin MPM "other IP packet": 0
8/11/2017 -- 14:38:17 - <Perf> - Registered 3 rule profiling counters.
8/11/2017 -- 14:38:17 - <Info> - fast output device (regular) initialized: alert
8/11/2017 -- 14:38:17 - <Info> - eve-log output device (regular) initialized: eve.json
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'alert'
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'http'
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'dns'
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'tls'
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'files'
8/11/2017 -- 14:38:17 - <Config> - enabling 'eve-log' module 'ssh'
8/11/2017 -- 14:38:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
8/11/2017 -- 14:38:17 - <Info> - stats output device (regular) initialized: stats.log
8/11/2017 -- 14:38:17 - <Config> - AutoFP mode using "Hash" flow load balancer
8/11/2017 -- 14:38:17 - <Info> - reading pcap file /var/pcap/11082017.1438-merged.pcap
8/11/2017 -- 14:38:17 - <Config> - using 1 flow manager threads
8/11/2017 -- 14:38:17 - <Config> - using 1 flow recycler threads
8/11/2017 -- 14:38:17 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
8/11/2017 -- 14:38:17 - <Info> - pcap file end of file reached (pcap err code 0)
8/11/2017 -- 14:38:17 - <Notice> - Signal Received.  Stopping engine.
8/11/2017 -- 14:38:18 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
8/11/2017 -- 14:38:18 - <Info> - time elapsed 0.946s
8/11/2017 -- 14:38:19 - <Perf> - 22 flows processed
8/11/2017 -- 14:38:19 - <Notice> - Pcap-file module read 73 packets, 9806 bytes
8/11/2017 -- 14:38:19 - <Perf> - AutoFP - Total flow handler queues - 1
8/11/2017 -- 14:38:19 - <Info> - Alerts: 0
8/11/2017 -- 14:38:19 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:38:19 - <Perf> - Done dumping profiling data.
8/11/2017 -- 14:38:19 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
8/11/2017 -- 14:38:19 - <Perf> - Dumping profiling data for 3 rules.
8/11/2017 -- 14:38:19 - <Perf> - Done dumping profiling data.
8/11/2017 -- 14:38:19 - <Perf> - Done dumping keyword profiling data.
8/11/2017 -- 14:38:19 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:


packet_stats.log - (8302 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1             2         11049765       11443383      11246574         22.5m    2.48
 IPv4       6            34          1903500       21778320      15267200        519.1m   57.29
 IPv4      17            33          1644738       18423516      11046549        364.5m   40.23
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1             2            31494          32436         31965         63.9k    0.31
TMM_FLOWWORKER              IPv4       6            34            68193         556686        144564          4.9m   23.83
TMM_FLOWWORKER              IPv4      17            33            72450        7238523        459513         15.2m   73.52
TMM_RECEIVEPCAPFILE         IPv4       1             2             4053           4200          4126          8.3k    0.04
TMM_RECEIVEPCAPFILE         IPv4       6            34             2841           4476          3048        103.6k    0.50
TMM_RECEIVEPCAPFILE         IPv4      17            33             2634          11427          3383        111.7k    0.54
TMM_DECODEPCAPFILE          IPv4       1             2             4605          23544         14074         28.1k    0.14
TMM_DECODEPCAPFILE          IPv4       6            34             2811           5886          3158        107.4k    0.52
TMM_DECODEPCAPFILE          IPv4      17            33             2802          21441          3726        123.0k    0.60

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1             2             3636           3846          3741          7.5k  0.09  
flow                    IPv4       6            34             2982           4956          3588        122.0k  1.47  
flow                    IPv4      17            33             2970          45531          5395        178.1k  2.14  
stream                  IPv4       6            34             2628          17601          3741        127.2k  1.53  
app-layer               IPv4      17            33             2625          33735         12784        421.9k  5.07  
detect                  IPv4       1             2            19326          19629         19477         39.0k  0.47  
detect                  IPv4       6            34            46158         532491        120276          4.1m  49.15 
detect                  IPv4      17            33            55827         475800         98175          3.2m  38.94 
tcp-prune               IPv4       6            34             2574           3987          2782         94.6k  1.14  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17            20             4713          14691          7240        144.8k  100.00
Proto detect            IPv4      17            24             2796          10068          5068        121.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_DNS             IPv4      17            20            37866        7085703        538519         10.8m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            11             3951          11175          6373        70.1k  25.60 
payload                           IPv4      17            33             2943           6144          4302       142.0k  51.84 
stream                            IPv4       6            11             3222          10074          5617        61.8k  22.56 
Total                             IPv4                    55                                          4979       273.9k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            16             2661           2973          2811         45.0k  0.68  
PROF_DETECT_IPONLY          IPv4      17            25             2664           8064          3403         85.1k  1.30  
PROF_DETECT_RULES           IPv4       6            34             2592         389064         14130        480.4k  7.32  
PROF_DETECT_RULES           IPv4      17            33             2592         402963         14936        492.9k  7.51  
PROF_DETECT_STATEFUL_CONT    IPv4       6            34             2574         396057         14445        491.1k  7.48  
PROF_DETECT_STATEFUL_CONT    IPv4      17            33             2589          12858          3445        113.7k  1.73  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            20             2700           4011          3070         61.4k  0.94  
PROF_DETECT_PREFILTER       IPv4       6            34             7965         488301         30156          1.0m  15.61 
PROF_DETECT_PREFILTER       IPv4      17            33            18759         252888         30236        997.8k  15.19 
PROF_DETECT_PF_PAYLOAD      IPv4       6            11            14973          29424         20490        225.4k  3.43  
PROF_DETECT_PF_PAYLOAD      IPv4      17            33             8145          13539         10014        330.5k  5.03  
PROF_DETECT_PF_SORT2        IPv4       6            34             2574         480669         16762        569.9k  8.68  
PROF_DETECT_PF_SORT2        IPv4      17            33             2580         235470          9844        324.9k  4.95  
PROF_DETECT_NONMPMLIST      IPv4       6            34             2601           3699          2847         96.8k  1.47  
PROF_DETECT_NONMPMLIST      IPv4      17            33             2598           4020          2959         97.6k  1.49  
PROF_DETECT_ALERT           IPv4       1             2             2703           2823          2763          5.5k  0.08  
PROF_DETECT_ALERT           IPv4       6            34             2601           3642          2703         91.9k  1.40  
PROF_DETECT_ALERT           IPv4      17            33             2604           4890          2906         95.9k  1.46  
PROF_DETECT_CLEANUP         IPv4       1             2             2646           2751          2698          5.4k  0.08  
PROF_DETECT_CLEANUP         IPv4       6            34             2592           4152          2940        100.0k  1.52  
PROF_DETECT_CLEANUP         IPv4      17            33             2595           7650          3490        115.2k  1.75  
PROF_DETECT_GETSGH          IPv4       1             2             2817           2859          2838          5.7k  0.09  
PROF_DETECT_GETSGH          IPv4       6            34             2652         394284         15666        532.7k  8.11  
PROF_DETECT_GETSGH          IPv4      17            33             2640           8457          5347        176.5k  2.69  


stats.log - (1931 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
------------------------------------------------------------------------------------
Date: 11/8/2017 -- 14:38:19 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 73
decoder.bytes                              | Total                     | 9806
decoder.ipv4                               | Total                     | 69
decoder.ethernet                           | Total                     | 73
decoder.tcp                                | Total                     | 34
decoder.udp                                | Total                     | 33
decoder.icmpv4                             | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 134
decoder.max_pkt_size                       | Total                     | 1035
flow.tcp                                   | Total                     | 8
flow.udp                                   | Total                     | 14
app_layer.flow.dns_udp                     | Total                     | 10
app_layer.tx.dns_udp                       | Total                     | 10
app_layer.flow.failed_udp                  | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7080640


eve.json - (21478 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{"timestamp":"2017-11-02T14:05:54.494012+0000","flow_id":1596240269838780,"pcap_cnt":16,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.494038+0000","flow_id":1058942008592854,"pcap_cnt":17,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"8.8.4.4","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.494050+0000","flow_id":1952052540508642,"pcap_cnt":18,"event_type":"dns","src_ip":"172.16.0.109","src_port":20534,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9445,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.254"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.234"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.226"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.158"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.222"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.89.250"}}
{"timestamp":"2017-11-02T14:05:54.533657+0000","flow_id":1952052540508642,"pcap_cnt":19,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":30,"rdata":"69.241.15.210"}}
{"timestamp":"2017-11-02T14:05:54.534085+0000","flow_id":1568093201638981,"pcap_cnt":20,"event_type":"dns","src_ip":"172.16.0.109","src_port":49513,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20382,"rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.32.70"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.2"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.117.182"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.122"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.54"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.162"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.33.46"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.102.74"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.33.18"}}
{"timestamp":"2017-11-02T14:05:54.554882+0000","flow_id":1596240269838780,"pcap_cnt":21,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":20,"rdata":"69.241.32.42"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.54"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.162"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.33.18"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.33.46"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.117.182"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.32.70"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.122"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.32.42"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.74"}}
{"timestamp":"2017-11-02T14:05:54.559032+0000","flow_id":1058942008592854,"pcap_cnt":23,"event_type":"dns","src_ip":"8.8.4.4","src_port":53,"dest_ip":"172.16.0.109","dest_port":20534,"proto":"UDP","dns":{"type":"answer","id":9445,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":5,"rdata":"69.241.102.2"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:000e:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:001c:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0013:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0012:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0010:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:0011:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.573432+0000","flow_id":1568093201638981,"pcap_cnt":25,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":49513,"proto":"UDP","dns":{"type":"answer","id":20382,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"AAAA","ttl":30,"rdata":"2001:0558:fe0b:000d:0000:0000:0000:0002"}}
{"timestamp":"2017-11-02T14:05:54.575979+0000","flow_id":1481328419850731,"pcap_cnt":26,"event_type":"dns","src_ip":"172.16.0.109","src_port":64762,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2159,"rrname":"edge.static-assets.top.comcast.net","rrtype":"MX","tx_id":0}}
{"timestamp":"2017-11-02T14:05:54.628967+0000","flow_id":1481328419850731,"pcap_cnt":27,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":64762,"proto":"UDP","dns":{"type":"answer","id":2159,"rcode":"NOERROR","rrname":"static-assets.top.comcast.net","rrtype":"SOA","ttl":30}}
{"timestamp":"2017-11-02T14:05:59.703495+0000","flow_id":1792659862043655,"pcap_cnt":33,"event_type":"dns","src_ip":"172.16.0.109","src_port":48105,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16310,"rrname":"edge.static-assets.bid.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:05:59.743444+0000","flow_id":1792659862043655,"pcap_cnt":34,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":48105,"proto":"UDP","dns":{"type":"answer","id":16310,"rcode":"NXDOMAIN","rrname":"edge.static-assets.bid.comcast.net"}}
{"timestamp":"2017-11-02T14:05:59.743444+0000","flow_id":1792659862043655,"pcap_cnt":34,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":48105,"proto":"UDP","dns":{"type":"answer","id":16310,"rcode":"NXDOMAIN","rrname":"comcast.net","rrtype":"SOA","ttl":1800}}
{"timestamp":"2017-11-02T14:06:01.991211+0000","flow_id":1876901350678507,"pcap_cnt":43,"event_type":"dns","src_ip":"172.16.0.109","src_port":22653,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34621,"rrname":"edge.static-assets.bid.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:06:01.992340+0000","flow_id":1876901350678507,"pcap_cnt":44,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":22653,"proto":"UDP","dns":{"type":"answer","id":34621,"rcode":"NXDOMAIN","rrname":"edge.static-assets.bid.comcast.net"}}
{"timestamp":"2017-11-02T14:06:02.882026+0000","flow_id":813615624648042,"pcap_cnt":49,"event_type":"dns","src_ip":"172.16.0.109","src_port":51005,"dest_ip":"172.16.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16311,"rrname":"edge.static-assets.top.comcast.net","rrtype":"A","tx_id":0}}
{"timestamp":"2017-11-02T14:06:02.887277+0000","flow_id":813615624648042,"pcap_cnt":50,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":51005,"proto":"UDP","dns":{"type":"answer","id":16311,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":21,"rdata":"69.241.15.210"}}
{"timestamp":"2017-11-02T14:06:02.887277+0000","flow_id":813615624648042,"pcap_cnt":50,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":51005,"proto":"UDP","dns":{"type":"answer","id":16311,"rcode":"NOERROR","rrname":"edge.static-assets.top.comcast.net","rrtype":"A","ttl":21,"rdata":"69.241.89.250"}}
{"timestamp":"2017-11-02T14:06:02.887277+0000","flow_id":813615624648042,"pcap_cnt":50,"event_type":"dns","src_ip":"172.16.0.1","src_port":53,"dest_ip":"172.16.0.109","dest_port":

This file has been truncated. Go here to download in full.


keyword_perf.log - (706 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/8/2017 -- 14:38:19
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


IDSDeathBlossom.py.log - (1242 bytes) - download
1
2
3
4
5
6
7
8
9
2017-11-08 14:38:15,727 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2017-11-08 14:38:17,001 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2017-11-08 14:38:17,002 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-test-test
2017-11-08 14:38:17,005 - INFO - generate_config - /opt/IDSDeathBlossom/IDSDeathBlossom.py +162 - Loading glob result: ['/tmp/tmp_SBmma']
2017-11-08 14:38:17,006 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2017-11-08 14:38:17,006 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2017-11-08 14:38:17,006 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /tmp/NW7hnj -l /var/www/html/8ebee8edebf9bc5c355a5c219c92344fc440fbbd267787ae6af9eb4aa43e8947 -r /var/pcap/11082017.1438-merged.pcap -vvv -k none
2017-11-08 14:38:19,019 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2017-11-08 14:38:19,020 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 3.32273507118