1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/94e64e1e3fd67c00310755a118a106a656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09232019.1142-pcap_1.pcap -vvv -k none
elapsedtime:22.353517
stderr:
stdout:
23/9/2019 -- 11:42:14 - <Info> - Configuration node 'rule-files' redefined.
23/9/2019 -- 11:42:14 - <Notice> - This is Suricata version 4.0.0 RELEASE
23/9/2019 -- 11:42:14 - <Info> - CPUs/cores online: 1
23/9/2019 -- 11:42:14 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32484 and 'request-body-inspect-window' set to 16779 after randomization.
23/9/2019 -- 11:42:14 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31190 and 'response-body-inspect-window' set to 16944 after randomization.
23/9/2019 -- 11:42:14 - <Config> - DNS request flood protection level: 500
23/9/2019 -- 11:42:14 - <Config> - DNS per flow memcap (state-memcap): 524288
23/9/2019 -- 11:42:14 - <Config> - DNS global memcap: 16777216
23/9/2019 -- 11:42:14 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
23/9/2019 -- 11:42:14 - <Config> - preallocated 1000 hosts of size 136
23/9/2019 -- 11:42:14 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
23/9/2019 -- 11:42:14 - <Config> - using magic-file /usr/share/file/magic
23/9/2019 -- 11:42:14 - <Config> - Core dump size is unlimited.
23/9/2019 -- 11:42:14 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
23/9/2019 -- 11:42:14 - <Config> - preallocated 1000 defrag trackers of size 168
23/9/2019 -- 11:42:14 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
23/9/2019 -- 11:42:15 - <Config> - stream "prealloc-sessions": 2048 (per thread)
23/9/2019 -- 11:42:15 - <Config> - stream "memcap": 33554432
23/9/2019 -- 11:42:15 - <Config> - stream "midstream" session pickups: disabled
23/9/2019 -- 11:42:15 - <Config> - stream "async-oneside": disabled
23/9/2019 -- 11:42:15 - <Config> - stream "checksum-validation": disabled
23/9/2019 -- 11:42:15 - <Config> - stream."inline": disabled
23/9/2019 -- 11:42:15 - <Config> - stream "bypass": disabled
23/9/2019 -- 11:42:15 - <Config> - stream "max-synack-queued": 5
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly "memcap": 134217728
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly "depth": 0
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly "toserver-chunk-size": 2544
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly "toclient-chunk-size": 2540
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly.raw: enabled
23/9/2019 -- 11:42:15 - <Config> - stream.reassembly "segment-prealloc": 2048
23/9/2019 -- 11:42:15 - <Config> - Delayed detect disabled
23/9/2019 -- 11:42:15 - <Config> - pattern matchers: MPM: ac, SPM: bm
23/9/2019 -- 11:42:15 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
23/9/2019 -- 11:42:15 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
23/9/2019 -- 11:42:15 - <Config> - prefilter engines: MPM
23/9/2019 -- 11:42:15 - <Config> - IP reputation disabled
23/9/2019 -- 11:42:15 - <Perf> - Registered 148 keyword profiling counters.
23/9/2019 -- 11:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
23/9/2019 -- 11:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
23/9/2019 -- 11:42:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
23/9/2019 -- 11:42:20 - <Config> - No rules loaded from ET-icmp.rules.
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
23/9/2019 -- 11:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
23/9/2019 -- 11:42:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
23/9/2019 -- 11:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
23/9/2019 -- 11:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
23/9/2019 -- 11:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
23/9/2019 -- 11:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
23/9/2019 -- 11:42:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
23/9/2019 -- 11:42:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
23/9/2019 -- 11:42:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
23/9/2019 -- 11:42:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
23/9/2019 -- 11:42:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
23/9/2019 -- 11:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
23/9/2019 -- 11:42:27 - <Config> - No rules loaded from local.rules.
23/9/2019 -- 11:42:27 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
23/9/2019 -- 11:42:27 - <Info> - Threshold config parsed: 0 rule(s) found
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tcp-packet
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tcp-stream
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for udp-packet
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for other-ip
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_uri
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_request_line
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_client_body
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_response_line
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_header
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_header
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_header_names
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_header_names
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_accept
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_accept_enc
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_accept_lang
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_referer
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_connection
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_content_len
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_content_len
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_content_type
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_content_type
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_protocol
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_protocol
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_start
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_start
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_raw_header
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_raw_header
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_method
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_cookie
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_cookie
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_raw_uri
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_user_agent
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_host
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_raw_host
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_stat_msg
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_stat_code
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for dns_query
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tls_sni
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tls_cert_issuer
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tls_cert_subject
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for tls_cert_serial
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for dce_stub_data
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for dce_stub_data
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for ssh_protocol
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for ssh_protocol
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for ssh_software
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for ssh_software
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for file_data
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for file_data
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_request_line
23/9/2019 -- 11:42:28 - <Perf> - using shared mpm ctx' for http_response_line
23/9/2019 -- 11:42:28 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
23/9/2019 -- 11:42:28 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
23/9/2019 -- 11:42:28 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
23/9/2019 -- 11:42:28 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
23/9/2019 -- 11:42:28 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
23/9/2019 -- 11:42:28 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
23/9/2019 -- 11:42:28 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
23/9/2019 -- 11:42:28 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
23/9/2019 -- 11:42:33 - <Perf> - Unique rule groups: 104
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toserver TCP packet": 35
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toclient TCP packet": 17
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toserver TCP stream": 33
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toclient TCP stream": 19
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toserver UDP packet": 27
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "toclient UDP packet": 17
23/9/2019 -- 11:42:33 - <Perf> - Builtin MPM "other IP packet": 3
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_uri": 14
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_request_line": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_client_body": 6
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_response_line": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_header": 10
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_header": 6
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_header_names": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_accept": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_referer": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_content_len": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_content_type": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_content_type": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_protocol": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_start": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_method": 5
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_cookie": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_cookie": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver http_host": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver dns_query": 4
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver tls_sni": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toserver file_data": 1
23/9/2019 -- 11:42:33 - <Perf> - AppLayer MPM "toclient file_data": 7
23/9/2019 -- 11:42:35 - <Perf> - Registered 39590 rule profiling counters.
23/9/2019 -- 11:42:35 - <Info> - fast output device (regular) initialized: alert
23/9/2019 -- 11:42:35 - <Info> - eve-log output device (regular) initialized: eve.json
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'alert'
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'http'
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'dns'
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'tls'
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'files'
23/9/2019 -- 11:42:35 - <Config> - enabling 'eve-log' module 'ssh'
23/9/2019 -- 11:42:35 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
23/9/2019 -- 11:42:35 - <Info> - stats output device (regular) initialized: stats.log
23/9/2019 -- 11:42:35 - <Config> - AutoFP mode using "Hash" flow load balancer
23/9/2019 -- 11:42:35 - <Info> - reading pcap file /var/pcap/09232019.1142-pcap_1.pcap
23/9/2019 -- 11:42:35 - <Config> - using 1 flow manager threads
23/9/2019 -- 11:42:35 - <Config>
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 1 1 6806144 6806144 6806144 6.8m 0.00
IPv4 2 14 3416464 334599032 119186935 1.7b 1.08
IPv4 17 664 4173916 437005414 230070886 152.8b 98.92
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 1 1 228282 228282 228282 228.3k 0.05
TMM_FLOWWORKER IPv4 2 14 132564 355910 161551 2.3m 0.48
TMM_FLOWWORKER IPv4 17 664 205500 19310720 693644 460.6m 97.25
TMM_RECEIVEPCAPFILE IPv4 1 1 4716 4716 4716 4.7k 0.00
TMM_RECEIVEPCAPFILE IPv4 2 14 4448 5964 4852 67.9k 0.01
TMM_RECEIVEPCAPFILE IPv4 17 664 4430 3854646 10647 7.1m 1.49
TMM_DECODEPCAPFILE IPv4 1 1 18096 18096 18096 18.1k 0.00
TMM_DECODEPCAPFILE IPv4 2 14 4588 14244 5606 78.5k 0.02
TMM_DECODEPCAPFILE IPv4 17 664 4562 19812 4932 3.3m 0.69
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 1 1 5160 5160 5160 5.2k 0.00
flow IPv4 17 664 4746 33436 6186 4.1m 1.06
app-layer IPv4 17 664 4430 61086 19403 12.9m 3.33
detect IPv4 1 1 208654 208654 208654 208.7k 0.05
detect IPv4 2 14 123268 345846 151713 2.1m 0.55
detect IPv4 17 664 177548 10681818 553352 367.4m 95.00
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
dns IPv4 17 570 5228 31754 6267 3.6m 100.00
Proto detect IPv4 17 574 4862 35546 6037 3.5m
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 563 29580 17734088 73632 41.5m 100.00
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 1 1 22876 22876 22876 22.9k 0.23
payload IPv4 17 664 5280 50390 11659 7.7m 77.60
dns_query IPv4 17 282 5058 67710 7845 2.2m 22.17
Total IPv4 947 10535 10.0m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 1 1 41880 41880 41880 41.9k 0.01
PROF_DETECT_IPONLY IPv4 2 14 41770 259250 62886 880.4k 0.24
PROF_DETECT_IPONLY IPv4 17 572 41282 132712 46368 26.5m 7.32
PROF_DETECT_RULES IPv4 1 1 43108 43108 43108 43.1k 0.01
PROF_DETECT_RULES IPv4 2 14 4420 5610 4605 64.5k 0.02
PROF_DETECT_RULES IPv4 17 664 76702 10566504 359357 238.6m 65.88
PROF_DETECT_STATEFUL_START IPv4 17 3 15098 22936 18578 55.7k 0.02
PROF_DETECT_STATEFUL_CONT IPv4 1 1 4420 4420 4420 4.4k 0.00
PROF_DETECT_STATEFUL_CONT IPv4 2 14 4406 4692 4485 62.8k 0.02
PROF_DETECT_STATEFUL_CONT IPv4 17 664 4402 92444 8667 5.8m 1.59
PROF_DETECT_STATEFUL_UPDATE IPv4 17 563 4506 46810 5163 2.9m 0.80
PROF_DETECT_PREFILTER IPv4 1 1 59742 59742 59742 59.7k 0.02
PROF_DETECT_PREFILTER IPv4 2 14 13624 42256 16747 234.5k 0.06
PROF_DETECT_PREFILTER IPv4 17 664 41514 518024 64175 42.6m 11.77
PROF_DETECT_PF_PAYLOAD IPv4 1 1 31970 31970 31970 32.0k 0.01
PROF_DETECT_PF_PAYLOAD IPv4 17 664 14404 490336 22258 14.8m 4.08
PROF_DETECT_PF_TX IPv4 17 282 14094 81454 17711 5.0m 1.38
PROF_DETECT_PF_SORT1 IPv4 1 1 4540 4540 4540 4.5k 0.00
PROF_DETECT_PF_SORT1 IPv4 17 664 4452 31696 6253 4.2m 1.15
PROF_DETECT_PF_SORT2 IPv4 1 1 5298 5298 5298 5.3k 0.00
PROF_DETECT_PF_SORT2 IPv4 2 14 4410 5446 4637 64.9k 0.02
PROF_DETECT_PF_SORT2 IPv4 17 664 4448 35766 5205 3.5m 0.95
PROF_DETECT_NONMPMLIST IPv4 1 1 4632 4632 4632 4.6k 0.00
PROF_DETECT_NONMPMLIST IPv4 2 14 4426 26034 6139 86.0k 0.02
PROF_DETECT_NONMPMLIST IPv4 17 664 4422 25298 5072 3.4m 0.93
PROF_DETECT_ALERT IPv4 1 1 4522 4522 4522 4.5k 0.00
PROF_DETECT_ALERT IPv4 2 14 4424 5584 4572 64.0k 0.02
PROF_DETECT_ALERT IPv4 17 664 4420 32318 5040 3.3m 0.92
PROF_DETECT_CLEANUP IPv4 1 1 4540 4540 4540 4.5k 0.00
PROF_DETECT_CLEANUP IPv4 2 14 4408 5358 4509 63.1k 0.02
PROF_DETECT_CLEANUP IPv4 17 664 4424 28754 5296 3.5m 0.97
PROF_DETECT_GETSGH IPv4 1 1 5272 5272 5272 5.3k 0.00
PROF_DETECT_GETSGH IPv4 2 14 4614 5198 4753 66.5k 0.02
PROF_DETECT_GETSGH IPv4 17 664 4418 82644 9495 6.3m 1.74
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | ------------------------------------------------------------------------------------
Date: 9/23/2019 -- 11:42:37 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 705
decoder.bytes | Total | 64999
decoder.ipv4 | Total | 679
decoder.ethernet | Total | 705
decoder.udp | Total | 664
decoder.icmpv4 | Total | 1
decoder.avg_pkt_size | Total | 92
decoder.max_pkt_size | Total | 243
flow.udp | Total | 292
detect.mpm_list | Total | 17
detect.nonmpm_list | Total | 4
detect.fnonmpm_list | Total | 4
detect.match_list | Total | 21
app_layer.flow.dns_udp | Total | 281
app_layer.tx.dns_udp | Total | 282
app_layer.flow.failed_udp | Total | 11
flow_mgr.new_pruned | Total | 10
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 279
flow_mgr.flows_notimeout | Total | 269
flow_mgr.flows_timeout | Total | 10
flow_mgr.flows_removed | Total | 10
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65258
flow_mgr.rows_maxlen | Total | 2
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7158400
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | {"timestamp":"2019-02-28T04:28:13.296170+0000","flow_id":1969527640130794,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.56.112","src_port":52451,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2304,"rrname":"d.8.1.f.9.a.f.a.0.9.2.1.c.3.9.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:13.323428+0000","flow_id":1729370248834916,"pcap_cnt":30,"event_type":"dns","src_ip":"192.168.56.112","src_port":54198,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63971,"rrname":"107.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:13.582634+0000","flow_id":1969527640130794,"pcap_cnt":33,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":52451,"proto":"UDP","dns":{"type":"answer","id":2304,"rcode":"NOERROR","rrname":"d.8.1.f.9.a.f.a.0.9.2.1.c.3.9.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:13.588078+0000","flow_id":1729370248834916,"pcap_cnt":34,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":54198,"proto":"UDP","dns":{"type":"answer","id":63971,"rcode":"NOERROR","rrname":"107.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:14.230344+0000","flow_id":2006208808387528,"pcap_cnt":35,"event_type":"dns","src_ip":"192.168.56.112","src_port":62568,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10501,"rrname":"www.sYgdZzV0FK.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:14.541338+0000","flow_id":2006208808387528,"pcap_cnt":49,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":62568,"proto":"UDP","dns":{"type":"answer","id":10501,"rcode":"NOERROR","rrname":"www.sYgdZzV0FK.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:14.562548+0000","flow_id":1557513574978932,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.56.112","src_port":50215,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16011,"rrname":"www.ixDvU2iwYD.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:14.868441+0000","flow_id":1557513574978932,"pcap_cnt":67,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":50215,"proto":"UDP","dns":{"type":"answer","id":16011,"rcode":"NOERROR","rrname":"www.ixDvU2iwYD.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:14.888253+0000","flow_id":5559354822077,"pcap_cnt":68,"event_type":"dns","src_ip":"192.168.56.112","src_port":61954,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11613,"rrname":"www.YaEXydlYPU.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.345515+0000","flow_id":5559354822077,"pcap_cnt":77,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":61954,"proto":"UDP","dns":{"type":"answer","id":11613,"rcode":"NOERROR","rrname":"www.YaEXydlYPU.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:15.367867+0000","flow_id":1147067172887803,"pcap_cnt":78,"event_type":"dns","src_ip":"192.168.56.112","src_port":51297,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7434,"rrname":"www.YX1YuoxUe4.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.608771+0000","flow_id":1521934065945091,"pcap_cnt":83,"event_type":"dns","src_ip":"192.168.56.112","src_port":65464,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1829,"rrname":"111.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.608993+0000","flow_id":909858276592353,"pcap_cnt":84,"event_type":"dns","src_ip":"192.168.56.112","src_port":61496,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14406,"rrname":"102.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.609165+0000","flow_id":225708641045389,"pcap_cnt":85,"event_type":"dns","src_ip":"192.168.56.112","src_port":51754,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54045,"rrname":"1.e.4.1.e.a.b.8.8.d.b.8.a.0.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.609570+0000","flow_id":1455587558640930,"pcap_cnt":86,"event_type":"dns","src_ip":"192.168.56.112","src_port":65421,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53887,"rrname":"113.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.671739+0000","flow_id":1147067172887803,"pcap_cnt":87,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":51297,"proto":"UDP","dns":{"type":"answer","id":7434,"rcode":"NOERROR","rrname":"www.YX1YuoxUe4.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:15.691387+0000","flow_id":831103608786107,"pcap_cnt":88,"event_type":"dns","src_ip":"192.168.56.112","src_port":63553,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9139,"rrname":"www.tMbkzw21ro.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:15.883637+0000","flow_id":1521934065945091,"pcap_cnt":89,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":65464,"proto":"UDP","dns":{"type":"answer","id":1829,"rcode":"NOERROR","rrname":"111.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:15.884936+0000","flow_id":909858276592353,"pcap_cnt":90,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":61496,"proto":"UDP","dns":{"type":"answer","id":14406,"rcode":"NOERROR","rrname":"102.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:15.885356+0000","flow_id":1455587558640930,"pcap_cnt":91,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":65421,"proto":"UDP","dns":{"type":"answer","id":53887,"rcode":"NOERROR","rrname":"113.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:15.905519+0000","flow_id":225708641045389,"pcap_cnt":92,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":51754,"proto":"UDP","dns":{"type":"answer","id":54045,"rcode":"NOERROR","rrname":"1.e.4.1.e.a.b.8.8.d.b.8.a.0.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:16.002329+0000","flow_id":831103608786107,"pcap_cnt":93,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":63553,"proto":"UDP","dns":{"type":"answer","id":9139,"rcode":"NOERROR","rrname":"www.tMbkzw21ro.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:16.127086+0000","flow_id":1021447969501294,"pcap_cnt":100,"event_type":"dns","src_ip":"192.168.56.112","src_port":52753,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38369,"rrname":"www.azsI0KlAPg.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:16.459676+0000","flow_id":1021447969501294,"pcap_cnt":105,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":52753,"proto":"UDP","dns":{"type":"answer","id":38369,"rcode":"NOERROR","rrname":"www.azsI0KlAPg.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:16.477644+0000","flow_id":314857129789900,"pcap_cnt":106,"event_type":"dns","src_ip":"192.168.56.112","src_port":55738,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4182,"rrname":"www.w7DxlizKBV.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:16.778588+0000","flow_id":314857129789900,"pcap_cnt":107,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":55738,"proto":"UDP","dns":{"type":"answer","id":4182,"rcode":"NOERROR","rrname":"www.w7DxlizKBV.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:16.795978+0000","flow_id":1638327679722826,"pcap_cnt":108,"event_type":"dns","src_ip":"192.168.56.112","src_port":56809,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1248,"rrname":"www.p7dQmaYJfX.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:17.109311+0000","flow_id":1638327679722826,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":56809,"proto":"UDP","dns":{"type":"answer","id":1248,"rcode":"NOERROR","rrname":"www.p7dQmaYJfX.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:17.132400+0000","flow_id":1199491543794992,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.56.112","src_port":64288,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15402,"rrname":"www.Hq36EI3u5x.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:17.433262+0000","flow_id":1199491543794992,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":64288,"proto":"UDP","dns":{"type":"answer","id":15402,"rcode":"NOERROR","rrname":"www.Hq36EI3u5x.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:17.453691+0000","flow_id":1232698083503163,"pcap_cnt":121,"event_type":"dns","src_ip":"192.168.56.112","src_port":53135,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38377,"rrname":"www.4ta8xz61E0.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:17.849367+0000","flow_id":1232698083503163,"pcap_cnt":128,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":53135,"proto":"UDP","dns":{"type":"answer","id":38377,"rcode":"NOERROR","rrname":"www.4ta8xz61E0.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:17.969828+0000","flow_id":1378447798684772,"pcap_cnt":129,"event_type":"dns","src_ip":"192.168.56.112","src_port":51793,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22765,"rrname":"www.9eXIRV0ePc.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:18.320308+0000","flow_id":1378447798684772,"pcap_cnt":130,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":51793,"proto":"UDP","dns":{"type":"answer","id":22765,"rcode":"NOERROR","rrname":"www.9eXIRV0ePc.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:18.341366+0000","flow_id":1696730645149046,"pcap_cnt":133,"event_type":"dns","src_ip":"192.168.56.112","src_port":49216,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5266,"rrname":"www.6cj3yL1JN8.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:18.651625+0000","flow_id":1696730645149046,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":49216,"proto":"UDP","dns":{"type":"answer","id":5266,"rcode":"NOERROR","rrname":"www.6cj3yL1JN8.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:18.673529+0000","flow_id":721579795433209,"pcap_cnt":135,"event_type":"dns","src_ip":"192.168.56.112","src_port":63071,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56865,"rrname":"www.2doxTCCC6G.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:18.981246+0000","flow_id":721579795433209,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":63071,"proto":"UDP","dns":{"type":"answer","id":56865,"rcode":"NOERROR","rrname":"www.2doxTCCC6G.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:19.002680+0000","flow_id":2143645614672504,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.56.112","src_port":61511,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59797,"rrname":"www.4vLkYE5sF5.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:19.305592+0000","flow_id":2143645614672504,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":61511,"proto":"UDP","dns":{"type":"answer","id":59797,"rcode":"NOERROR","rrname":"www.4vLkYE5sF5.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:19.328665+0000","flow_id":423760320725977,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.56.112","src_port":49844,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24205,"rrname":"www.loGUSYNNkJ.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:19.637335+0000","flow_id":423760320725977,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":49844,"proto":"UDP","dns":{"type":"answer","id":24205,"rcode":"NOERROR","rrname":"www.loGUSYNNkJ.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:19.767303+0000","flow_id":1281641383441735,"pcap_cnt":143,"event_type":"dns","src_ip":"192.168.56.112","src_port":52377,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40113,"rrname":"www.pDGV137X2p.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:20.160422+0000","flow_id":1281641383441735,"pcap_cnt":146,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":52377,"proto":"UDP","dns":{"type":"answer","id":40113,"rcode":"NOERROR","rrname":"www.pDGV137X2p.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:20.182843+0000","flow_id":104064430164539,"pcap_cnt":147,"event_type":"dns","src_ip":"192.168.56.112","src_port":64159,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56258,"rrname":"www.AXHL6q7cCY.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:20.494365+0000","flow_id":104064430164539,"pcap_cnt":148,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":64159,"proto":"UDP","dns":{"type":"answer","id":56258,"rcode":"NOERROR","rrname":"www.AXHL6q7cCY.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:20.514785+0000","flow_id":2187486493465313,"pcap_cnt":149,"event_type":"dns","src_ip":"192.168.56.112","src_port":64702,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45903,"rrname":"www.fPjl3RLaGH.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:20.904267+0000","flow_id":2187486493465313,"pcap_cnt":154,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":64702,"proto":"UDP","dns":{"type":"answer","id":45903,"rcode":"NOERROR","rrname":"www.fPjl3RLaGH.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:20.924371+0000","flow_id":322828589341395,"pcap_cnt":155,"event_type":"dns","src_ip":"192.168.56.112","src_port":56251,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11065,"rrname":"www.evS0bplfi6.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:21.238207+0000","flow_id":322828589341395,"pcap_cnt":156,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":56251,"proto":"UDP","dns":{"type":"answer","id":11065,"rcode":"NOERROR","rrname":"www.evS0bplfi6.com","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2019-02-28T04:28:21.261427+0000","flow_id":623944451620147,"pcap_cnt":157,"event_type":"dns","src_ip":"192.168.56.112","src_port":55219,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54442,"rrname":"www.mFiEXzMxYD.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-02-28T04:28:21.578674+0000","flow_id":623944451620147,"pcap_cnt":158,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.112","dest_port":55219,"proto":"U
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | --------------------------------------------------------------------------------------------------------------------------------
Date: 9/23/2019 -- 11:42:37
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 15798282 3154 2010 73560 5008.00 4973.00 5071.00
pcre 1780924 277 260 73586 6429.00 6124.00 11092.00
byte_test 17719282 3600 1683 51484 4922.00 5024.00 4832.00
byte_jump 124460 20 20 21972 6223.00 6223.00 0.00
isdataat 1307268 259 0 38734 5047.00 0.00 5047.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 15777238 3151 2010 73560 5007.00 4973.00 5066.00
pcre 1780924 277 260 73586 6429.00 6124.00 11092.00
byte_test 17719282 3600 1683 51484 4922.00 5024.00 4832.00
byte_jump 124460 20 20 21972 6223.00 6223.00 0.00
isdataat 1307268 259 0 38734 5047.00 0.00 5047.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: dns_query
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 21044 3 0 9184 7014.00 0.00 7014.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | --------------------------------------------------------------------------
Date: 9/23/2019 -- 11:42:37. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2010140 1 7 13950276 9.02 650 0 10478384 21461.96 0.00 21461.96
2 2023622 1 3 1546338 1.00 253 0 375606 6112.01 0.00 6112.01
3 2019230 1 2 8132466 5.26 519 0 286346 15669.49 0.00 15669.49
4 2805348 1 4 1667288 1.08 20 0 155184 83364.40 0.00 83364.40
5 2014703 1 9 8290136 5.36 563 0 112586 14724.93 0.00 14724.93
6 2009702 1 5 11194462 7.24 563 0 111496 19883.59 0.00 19883.59
7 2008118 1 3 1638968 1.06 319 0 100928 5137.83 0.00 5137.83
8 2014701 1 12 11010206 7.12 563 0 100750 19556.32 0.00 19556.32
9 2809850 1 2 9511806 6.15 273 0 95222 34841.78 0.00 34841.78
10 2022543 1 1 6414094 4.15 259 0 90090 24764.84 0.00 24764.84
11 2014702 1 9 8257272 5.34 563 0 87200 14666.56 0.00 14666.56
12 2010143 1 3 6064642 3.92 650 0 83166 9330.22 0.00 9330.22
13 2811577 1 2 7465244 4.83 519 0 74674 14383.90 0.00 14383.90
14 2811544 1 1 7635414 4.94 519 0 56694 14711.78 0.00 14711.78
15 2803760 1 3 7066948 4.57 282 0 51626 25060.10 0.00 25060.10
16 2826281 1 2 6776676 4.38 282 0 48714 24030.77 0.00 24030.77
17 2801347 1 5 2602458 1.68 531 0 38606 4901.05 0.00 4901.05
18 2025106 1 2 59348 0.04 2 0 34974 29674.00 0.00 29674.00
19 2023624 1 3 2940316 1.90 614 0 31758 4788.79 0.00 4788.79
20 2010142 1 4 3087570 2.00 650 0 31646 4750.11 0.00 4750.11
21 2008117 1 3 2730284 1.76 566 0 29858 4823.82 0.00 4823.82
22 2023620 1 3 1837156 1.19 395 0 29248 4651.03 0.00 4651.03
23 2025104 1 2 27290 0.02 1 0 27290 27290.00 0.00 27290.00
24 2023626 1 3 1102950 0.71 232 0 24920 4754.09 0.00 4754.09
25 2008120 1 4 3083036 1.99 652 0 24374 4728.58 0.00 4728.58
26 2023625 1 3 1209760 0.78 242 0 23144 4999.01 0.00 4999.01
27 2802822 1 1 2739380 1.77 566 0 22836 4839.89 0.00 4839.89
28 2025200 1 1 2734656 1.77 563 0 22648 4857.29 0.00 4857.29
29 2023623 1 3 991806 0.64 210 0 22622 4722.89 0.00 4722.89
30 2023612 1 4 729866 0.47 156 0 22110 4678.63 0.00 4678.63
31 2019010 1 3 127594 0.08 20 0 21922 6379.70 0.00 6379.70
32 2802081 1 1 253832 0.16 46 0 21498 5518.09 0.00 5518.09
33 2023627 1 3 1210520 0.78 259 0 21432 4673.82 0.00 4673.82
34 2823788 1 4 1369124 0.89 282 0 21042 4855.05 0.00 4855.05
35 2009243 1 2 1504366 0.97 319 0 20800 4715.88 0.00 4715.88
36 2023617 1 3 521874 0.34 112 0 20718 4659.59 0.00 4659.59
37 2019011 1 3 110860 0.07 20 0 20630 5543.00 0.00 5543.00
38 2023621 1 4 601020 0.39 126 0 20612 4770.00 0.00 4770.00
39 2023618 1 3 520690 0.34 108 0 20532 4821.20 0.00 4821.20
40 2023616 1 3 504408 0.33 100 0 20506 5044.08 0.00 5044.08
41 2013075 1 8 1324590 0.86 282 0 20372 4697.13 0.00 4697.13
42 2023613 1 3 667198 0.43 142 0 20272 4698.58 0.00 4698.58
43 2013739 1 15 422924 0.27 89 0 19732 4751.96 0.00 4751.96
44 2805442 1 2 327250 0.21 70 0 18120 4675.00 0.00 4675.00
45 2023614 1 3 697336 0.45 149 0 17460 4680.11 0.00 4680.11
46 2022914 1 1 89900 0.06 6 0 17422 14983.33 0.00 14983.33
47 2023619 1 3 428428 0.28 92 0 17010 4656.83 0.00 4656.83
48 2805211 1 1 87380 0.06 6 0 15844 14563.33 0.00 14563.33
49 2023615 1 3 605734 0.39 132 0 6512 4588.89 0.00 4588.89
50 2016363 1 2 58648 0.04 12 0 6468 4887.33 0.00 4887.33
51 2019016 1 3 93914 0.06 20 0 6468 4695.70 0.00 4695.70
52 2802205 1 3 93448 0.06 20 0 6062 4672.40 0.00 4672.40
53 2008116 1 4 94962 0.06 20 0 5904 4748.10 0.00 4748.10
54 2802026 1 1 130488 0.08 27 0 5698 4832.89 0.00 4832.89
55 2822838 1 2 14474 0.01 3 0 5494 4824.67 0.00 4824.67
56 2016323 1 1 58972 0.04 12 0 5488 4914.33 0.00 4914.33
57 2100566 1 5 55920 0.04 12 0 5414 4660.00 0.00 4660.00
58 2100518 1 8 93830 0.06 20 0 5320 4691.50 0.00 4691.50
59 2101892 1 7 5242 0.00 1 0 5242 5242.00 0.00 5242.00
60 2022331 1 3 5202 0.00 1 0 5202 5202.00 0.00 5202.00
61 2019017 1 3 93156 0.06 20 0 5092 4657.80 0.00 4657.80
62 2019490 1 3 9806 0.01 2 0 5014 4903.00 0.00 4903.00
63 2809037 1 1 4740 0.00 1 0 4740 4740.00 0.00 4740.00
64 2023453 1 5 9078 0.01 2 0 4638 4539.00 0.00 4539.00
|
1 2 3 4 5 6 7 8 | 2019-09-23 11:42:14,205 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-09-23 11:42:14,967 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-09-23 11:42:14,967 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-09-23 11:42:14,968 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-09-23 11:42:14,968 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-09-23 11:42:14,968 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/94e64e1e3fd67c00310755a118a106a656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09232019.1142-pcap_1.pcap -vvv -k none
2019-09-23 11:42:37,324 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-09-23 11:42:37,325 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.1287510395
|