1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9643989578cd1a9c5db9bba31ac1fc7d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10042019.2043-09406061e18ebb94a1df7e85224238a9b0a1e7b3948e0969a00c08aa84ed5ef7.pcap -vvv -k none
elapsedtime:25.725180
stderr:
stdout:
4/10/2019 -- 20:43:24 - <Info> - Configuration node 'rule-files' redefined.
4/10/2019 -- 20:43:24 - <Notice> - This is Suricata version 4.0.0 RELEASE
4/10/2019 -- 20:43:24 - <Info> - CPUs/cores online: 1
4/10/2019 -- 20:43:24 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31645 and 'request-body-inspect-window' set to 16204 after randomization.
4/10/2019 -- 20:43:24 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31677 and 'response-body-inspect-window' set to 15711 after randomization.
4/10/2019 -- 20:43:24 - <Config> - DNS request flood protection level: 500
4/10/2019 -- 20:43:24 - <Config> - DNS per flow memcap (state-memcap): 524288
4/10/2019 -- 20:43:24 - <Config> - DNS global memcap: 16777216
4/10/2019 -- 20:43:24 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
4/10/2019 -- 20:43:24 - <Config> - preallocated 1000 hosts of size 136
4/10/2019 -- 20:43:24 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
4/10/2019 -- 20:43:24 - <Config> - using magic-file /usr/share/file/magic
4/10/2019 -- 20:43:24 - <Config> - Core dump size is unlimited.
4/10/2019 -- 20:43:24 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
4/10/2019 -- 20:43:24 - <Config> - preallocated 1000 defrag trackers of size 168
4/10/2019 -- 20:43:24 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
4/10/2019 -- 20:43:24 - <Config> - stream "prealloc-sessions": 2048 (per thread)
4/10/2019 -- 20:43:24 - <Config> - stream "memcap": 33554432
4/10/2019 -- 20:43:24 - <Config> - stream "midstream" session pickups: disabled
4/10/2019 -- 20:43:24 - <Config> - stream "async-oneside": disabled
4/10/2019 -- 20:43:24 - <Config> - stream "checksum-validation": disabled
4/10/2019 -- 20:43:24 - <Config> - stream."inline": disabled
4/10/2019 -- 20:43:24 - <Config> - stream "bypass": disabled
4/10/2019 -- 20:43:24 - <Config> - stream "max-synack-queued": 5
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly "memcap": 134217728
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly "depth": 0
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly "toserver-chunk-size": 2638
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly "toclient-chunk-size": 2548
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly.raw: enabled
4/10/2019 -- 20:43:24 - <Config> - stream.reassembly "segment-prealloc": 2048
4/10/2019 -- 20:43:24 - <Config> - Delayed detect disabled
4/10/2019 -- 20:43:24 - <Config> - pattern matchers: MPM: ac, SPM: bm
4/10/2019 -- 20:43:24 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
4/10/2019 -- 20:43:24 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
4/10/2019 -- 20:43:24 - <Config> - prefilter engines: MPM
4/10/2019 -- 20:43:24 - <Config> - IP reputation disabled
4/10/2019 -- 20:43:24 - <Perf> - Registered 148 keyword profiling counters.
4/10/2019 -- 20:43:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
4/10/2019 -- 20:43:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
4/10/2019 -- 20:43:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
4/10/2019 -- 20:43:30 - <Config> - No rules loaded from ET-icmp.rules.
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
4/10/2019 -- 20:43:30 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
4/10/2019 -- 20:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
4/10/2019 -- 20:43:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
4/10/2019 -- 20:43:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
4/10/2019 -- 20:43:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
4/10/2019 -- 20:43:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
4/10/2019 -- 20:43:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
4/10/2019 -- 20:43:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
4/10/2019 -- 20:43:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
4/10/2019 -- 20:43:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
4/10/2019 -- 20:43:38 - <Config> - No rules loaded from local.rules.
4/10/2019 -- 20:43:38 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
4/10/2019 -- 20:43:38 - <Info> - Threshold config parsed: 0 rule(s) found
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tcp-packet
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tcp-stream
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for udp-packet
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for other-ip
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_uri
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_client_body
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_header
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_header
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_header_names
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_accept
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_accept_enc
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_accept_lang
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_referer
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_connection
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_content_len
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_content_type
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_protocol
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_start
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_start
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_raw_header
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_method
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_cookie
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_raw_uri
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_user_agent
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_host
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_raw_host
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_stat_msg
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_stat_code
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for dns_query
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tls_sni
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tls_cert_issuer
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tls_cert_subject
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for tls_cert_serial
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for dce_stub_data
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for ssh_protocol
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for ssh_software
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for file_data
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for file_data
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_request_line
4/10/2019 -- 20:43:39 - <Perf> - using shared mpm ctx' for http_response_line
4/10/2019 -- 20:43:39 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
4/10/2019 -- 20:43:39 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
4/10/2019 -- 20:43:39 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
4/10/2019 -- 20:43:39 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
4/10/2019 -- 20:43:39 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
4/10/2019 -- 20:43:39 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
4/10/2019 -- 20:43:39 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
4/10/2019 -- 20:43:39 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
4/10/2019 -- 20:43:46 - <Perf> - Unique rule groups: 104
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toserver TCP packet": 35
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toclient TCP packet": 17
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toserver TCP stream": 33
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toclient TCP stream": 19
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toserver UDP packet": 27
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "toclient UDP packet": 17
4/10/2019 -- 20:43:46 - <Perf> - Builtin MPM "other IP packet": 3
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_uri": 14
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_request_line": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_client_body": 6
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_response_line": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_header": 10
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_header": 6
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_header_names": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_accept": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_referer": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_content_len": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_content_type": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_content_type": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_protocol": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_start": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_method": 5
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_cookie": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_cookie": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver http_host": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver dns_query": 4
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver tls_sni": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toserver file_data": 1
4/10/2019 -- 20:43:46 - <Perf> - AppLayer MPM "toclient file_data": 7
4/10/2019 -- 20:43:49 - <Perf> - Registered 39590 rule profiling counters.
4/10/2019 -- 20:43:49 - <Info> - fast output device (regular) initialized: alert
4/10/2019 -- 20:43:49 - <Info> - eve-log output device (regular) initialized: eve.json
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'alert'
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'http'
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'dns'
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'tls'
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'files'
4/10/2019 -- 20:43:49 - <Config> - enabling 'eve-log' module 'ssh'
4/10/2019 -- 20:43:49 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
4/10/2019 -- 20:43:49 - <Info> - stats output device (regular) initialized: stats.log
4/10/2019 -- 20:43:49 - <Config> - AutoFP mode using "Hash" flow load balancer
4/10/2019 -- 20:43:49 - <Info> - reading pcap file /var/pcap/10042019.2043-09406061e18ebb94a1df7e85224238a9b0a1e7b3948e0969a00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 123 3482900 72155460 43902597 5.4b 99.51
IPv4 17 2 12797726 13690144 13243935 26.5m 0.49
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 123 114794 14763186 512380 63.0m 84.54
TMM_FLOWWORKER IPv4 17 2 788186 9498724 5143455 10.3m 13.80
TMM_RECEIVEPCAPFILE IPv4 6 109 4424 30680 5453 594.5k 0.80
TMM_RECEIVEPCAPFILE IPv4 17 2 4848 13270 9059 18.1k 0.02
TMM_DECODEPCAPFILE IPv4 6 109 4552 22962 5325 580.5k 0.78
TMM_DECODEPCAPFILE IPv4 17 2 4914 43836 24375 48.8k 0.07
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 109 4780 12872 5598 610.2k 1.28
flow IPv4 17 2 16212 51768 33990 68.0k 0.14
stream IPv4 6 123 4666 3727292 58416 7.2m 15.05
app-layer IPv4 17 2 22234 116784 69509 139.0k 0.29
detect IPv4 6 123 77416 4963454 297610 36.6m 76.66
detect IPv4 17 2 619680 1046392 833036 1.7m 3.49
tcp-prune IPv4 6 123 4446 844770 12019 1.5m 3.10
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
tls IPv4 6 6 4580 5262 4940 29.6k 43.41
dns IPv4 17 2 11094 27548 19321 38.6k 56.59
Proto detect IPv4 17 2 70736 70736 70736 141.5k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 2 96190 8229780 4162985 8.3m 93.49
LOGGER_JSON_TLS IPv4 6 8 4476 190348 72502 580.0k 6.51
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 55 4486 935862 72814 4.0m 47.03
payload IPv4 17 2 66272 84232 75252 150.5k 1.77
stream IPv4 6 55 4434 1634958 68873 3.8m 44.48
dns_query IPv4 17 1 20324 20324 20324 20.3k 0.24
tls_sni IPv4 6 23 4456 315842 20128 463.0k 5.44
tls_cert_issuer IPv4 6 4 4518 12532 7727 30.9k 0.36
tls_cert_subject IPv4 6 4 4498 13032 7699 30.8k 0.36
tls_cert_serial IPv4 6 4 4488 10226 6865 27.5k 0.32
Total IPv4 148 57539 8.5m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 16 5366 89766 39060 625.0k 1.44
PROF_DETECT_IPONLY IPv4 17 2 49986 168808 109397 218.8k 0.50
PROF_DETECT_RULES IPv4 6 123 4424 3101628 104384 12.8m 29.52
PROF_DETECT_RULES IPv4 17 2 319458 538156 428807 857.6k 1.97
PROF_DETECT_STATEFUL_CONT IPv4 6 123 4426 24592 8324 1.0m 2.35
PROF_DETECT_STATEFUL_CONT IPv4 17 2 23150 64184 43667 87.3k 0.20
PROF_DETECT_STATEFUL_UPDATE IPv4 6 89 4450 9910 4809 428.1k 0.98
PROF_DETECT_STATEFUL_UPDATE IPv4 17 2 4950 5234 5092 10.2k 0.02
PROF_DETECT_PREFILTER IPv4 6 123 13544 1779312 107346 13.2m 30.36
PROF_DETECT_PREFILTER IPv4 17 2 130906 155094 143000 286.0k 0.66
PROF_DETECT_PF_PAYLOAD IPv4 6 55 22788 1683322 155872 8.6m 19.71
PROF_DETECT_PF_PAYLOAD IPv4 17 2 75464 93458 84461 168.9k 0.39
PROF_DETECT_PF_TX IPv4 6 89 4542 327528 13222 1.2m 2.71
PROF_DETECT_PF_TX IPv4 17 1 31552 31552 31552 31.6k 0.07
PROF_DETECT_PF_SORT1 IPv4 6 43 4446 6486 5045 217.0k 0.50
PROF_DETECT_PF_SORT1 IPv4 17 2 6262 7360 6811 13.6k 0.03
PROF_DETECT_PF_SORT2 IPv4 6 123 4406 27702 5138 632.0k 1.45
PROF_DETECT_PF_SORT2 IPv4 17 2 9942 16546 13244 26.5k 0.06
PROF_DETECT_NONMPMLIST IPv4 6 123 4430 7122 4928 606.2k 1.39
PROF_DETECT_NONMPMLIST IPv4 17 2 5652 6480 6066 12.1k 0.03
PROF_DETECT_ALERT IPv4 6 123 4416 24144 4798 590.2k 1.36
PROF_DETECT_ALERT IPv4 17 2 5890 18756 12323 24.6k 0.06
PROF_DETECT_CLEANUP IPv4 6 123 4464 30580 5225 642.8k 1.48
PROF_DETECT_CLEANUP IPv4 17 2 7210 7944 7577 15.2k 0.03
PROF_DETECT_GETSGH IPv4 6 123 4424 442992 9386 1.2m 2.65
PROF_DETECT_GETSGH IPv4 17 2 10340 11246 10793 21.6k 0.05
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | ------------------------------------------------------------------------------------
Date: 10/4/2019 -- 20:43:50 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 111
decoder.bytes | Total | 21522
decoder.ipv4 | Total | 111
decoder.ethernet | Total | 111
decoder.tcp | Total | 109
decoder.udp | Total | 2
decoder.avg_pkt_size | Total | 193
decoder.max_pkt_size | Total | 2400
flow.tcp | Total | 8
flow.udp | Total | 1
tcp.sessions | Total | 8
tcp.syn | Total | 8
tcp.synack | Total | 8
tcp.rst | Total | 10
detect.mpm_list | Total | 2
detect.nonmpm_list | Total | 3
detect.match_list | Total | 3
app_layer.flow.tls | Total | 8
app_layer.flow.dns_udp | Total | 1
app_layer.tx.dns_udp | Total | 1
flow.spare | Total | 9996
flow_mgr.flows_checked | Total | 2
flow_mgr.flows_notimeout | Total | 2
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_empty | Total | 65534
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7074592
|
1 2 3 4 5 6 7 | {"timestamp":"2019-09-06T15:18:20.767616+0000","flow_id":1469535823378048,"pcap_cnt":1,"event_type":"dns","src_ip":"192.168.0.156","src_port":61712,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2547,"rrname":"www.ksahosting.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-06T15:18:20.957396+0000","flow_id":1469535823378048,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.0.156","dest_port":61712,"proto":"UDP","dns":{"type":"answer","id":2547,"rcode":"NOERROR","rrname":"www.ksahosting.net","rrtype":"CNAME","ttl":14399,"rdata":"ksahosting.net"}}
{"timestamp":"2019-09-06T15:18:20.957396+0000","flow_id":1469535823378048,"pcap_cnt":2,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.0.156","dest_port":61712,"proto":"UDP","dns":{"type":"answer","id":2547,"rcode":"NOERROR","rrname":"ksahosting.net","rrtype":"A","ttl":14399,"rdata":"5.101.174.42"}}
{"timestamp":"2019-09-06T15:18:31.569364+0000","flow_id":2156962519664218,"pcap_cnt":39,"event_type":"tls","src_ip":"192.168.0.156","src_port":49191,"dest_ip":"5.101.174.42","dest_port":443,"proto":"TCP","tls":{"subject":"CN=ksahosting.net","issuerdn":"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"}}
{"timestamp":"2019-09-06T15:18:31.569409+0000","flow_id":88628676478653,"pcap_cnt":40,"event_type":"tls","src_ip":"192.168.0.156","src_port":49190,"dest_ip":"5.101.174.42","dest_port":443,"proto":"TCP","tls":{"subject":"CN=ksahosting.net","issuerdn":"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"}}
{"timestamp":"2019-09-06T15:18:32.899658+0000","flow_id":671584587618178,"pcap_cnt":78,"event_type":"tls","src_ip":"192.168.0.156","src_port":49196,"dest_ip":"5.101.174.42","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}
{"timestamp":"2019-09-06T15:20:27.462163+0000","flow_id":1813496132540218,"event_type":"tls","src_ip":"192.168.0.156","src_port":49195,"dest_ip":"5.101.174.42","dest_port":443,"proto":"TCP","tls":{"session_resumed":true}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | --------------------------------------------------------------------------------------------------------------------------------
Date: 10/4/2019 -- 20:43:50
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 37904 4 4 19096 9476.00 9476.00 0.00
content 1935934 201 74 428144 9631.00 11497.00 8544.00
pcre 622474 19 1 420322 32761.00 43630.00 32158.00
byte_test 95824 14 2 27024 6844.00 17172.00 5123.00
byte_jump 38026 6 4 11120 6337.00 6557.00 5898.00
isdataat 4978 1 0 4978 4978.00 0.00 4978.00
flowbits 45766 4 4 25428 11441.00 11441.00 0.00
byte_extract 591328 32 32 430750 18479.00 18479.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 37904 4 4 19096 9476.00 9476.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 1935934 201 74 428144 9631.00 11497.00 8544.00
pcre 622474 19 1 420322 32761.00 43630.00 32158.00
byte_test 95824 14 2 27024 6844.00 17172.00 5123.00
byte_jump 38026 6 4 11120 6337.00 6557.00 5898.00
isdataat 4978 1 0 4978 4978.00 0.00 4978.00
byte_extract 591328 32 32 430750 18479.00 18479.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 45766 4 4 25428 11441.00 11441.00 0.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | --------------------------------------------------------------------------
Date: 10/4/2019 -- 20:43:50. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2021749 1 6 1576596 16.06 2 0 808290 788298.00 0.00 788298.00
2 2814978 1 2 839772 8.56 2 0 625784 419886.00 0.00 419886.00
3 2814979 1 2 790996 8.06 2 0 609432 395498.00 0.00 395498.00
4 2822213 1 2 656158 6.69 2 0 536200 328079.00 0.00 328079.00
5 2018457 1 1 593898 6.05 2 0 523368 296949.00 0.00 296949.00
6 2024772 1 2 1164142 11.86 6 4 488776 194023.67 280102.00 21867.00
7 2809258 1 4 472660 4.82 7 0 437644 67522.86 0.00 67522.86
8 2017935 1 3 468192 4.77 10 0 423628 46819.20 0.00 46819.20
9 2018005 1 6 292652 2.98 2 0 160680 146326.00 0.00 146326.00
10 2014701 1 12 97716 1.00 2 0 92778 48858.00 0.00 48858.00
11 2809850 1 2 77866 0.79 1 0 77866 77866.00 0.00 77866.00
12 2014634 1 1 230392 2.35 4 0 70454 57598.00 0.00 57598.00
13 2014635 1 1 235538 2.40 4 0 61328 58884.50 0.00 58884.50
14 2815451 1 2 265464 2.70 12 0 45592 22122.00 0.00 22122.00
15 2022543 1 1 32590 0.33 1 0 32590 32590.00 0.00 32590.00
16 2020779 1 3 31402 0.32 1 0 31402 31402.00 0.00 31402.00
17 2020788 1 2 30656 0.31 1 0 30656 30656.00 0.00 30656.00
18 2828876 1 1 171966 1.75 27 0 29164 6369.11 0.00 6369.11
19 2826281 1 2 28058 0.29 1 0 28058 28058.00 0.00 28058.00
20 2811542 1 1 33136 0.34 2 0 27106 16568.00 0.00 16568.00
21 2803760 1 3 27000 0.28 1 0 27000 27000.00 0.00 27000.00
22 2024777 1 2 99592 1.01 8 0 25468 12449.00 0.00 12449.00
23 2014703 1 9 30718 0.31 2 0 25080 15359.00 0.00 15359.00
24 2024778 1 1 81340 0.83 4 0 24704 20335.00 0.00 20335.00
25 2014702 1 9 29328 0.30 2 0 24386 14664.00 0.00 14664.00
26 2102523 1 8 57810 0.59 8 0 21354 7226.25 0.00 7226.25
27 2021976 1 2 43420 0.44 6 0 18920 7236.67 0.00 7236.67
28 2020371 1 2 17554 0.18 1 0 17554 17554.00 0.00 17554.00
29 2009702 1 5 20504 0.21 2 0 15208 10252.00 0.00 10252.00
30 2808577 1 5 145968 1.49 30 0 7976 4865.60 0.00 4865.60
31 2806561 1 5 45662 0.47 8 0 6892 5707.75 0.00 5707.75
32 2009387 1 4 70524 0.72 14 0 6648 5037.43 0.00 5037.43
33 2103159 1 4 40958 0.42 8 0 6640 5119.75 0.00 5119.75
34 2802823 1 1 6586 0.07 1 0 6586 6586.00 0.00 6586.00
35 2807546 1 6 30254 0.31 6 0 6462 5042.33 0.00 5042.33
36 2823966 1 1 63082 0.64 12 0 6318 5256.83 0.00 5256.83
37 2809487 1 2 16592 0.17 3 0 6314 5530.67 0.00 5530.67
38 2018789 1 3 12462 0.13 2 0 6276 6231.00 0.00 6231.00
39 2008117 1 3 11788 0.12 2 0 6270 5894.00 0.00 5894.00
40 2100327 1 10 12138 0.12 2 0 6244 6069.00 0.00 6069.00
41 2001330 1 8 121192 1.23 25 0 6204 4847.68 0.00 4847.68
42 2102190 1 5 99798 1.02 20 0 6122 4989.90 0.00 4989.90
43 2008120 1 4 11676 0.12 2 0 6108 5838.00 0.00 5838.00
44 2023626 1 3 11466 0.12 2 0 6070 5733.00 0.00 5733.00
45 2103238 1 4 31670 0.32 6 0 5964 5278.33 0.00 5278.33
46 2809132 1 1 39110 0.40 8 0 5962 4888.75 0.00 4888.75
47 2009243 1 2 5934 0.06 1 0 5934 5934.00 0.00 5934.00
48 2802205 1 3 5886 0.06 1 0 5886 5886.00 0.00 5886.00
49 2802822 1 1 10798 0.11 2 0 5858 5399.00 0.00 5399.00
50 2008306 1 3 56742 0.58 12 0 5818 4728.50 0.00 4728.50
51 2018281 1 4 30412 0.31 6 0 5806 5068.67 0.00 5068.67
52 2103158 1 6 83096 0.85 17 0 5762 4888.00 0.00 4888.00
53 2022547 1 1 68916 0.70 14 0 5672 4922.57 0.00 4922.57
54 2008116 1 4 5662 0.06 1 0 5662 5662.00 0.00 5662.00
55 2809256 1 3 10918 0.11 2 0 5646 5459.00 0.00 5459.00
56 2100518 1 8 5640 0.06 1 0 5640 5640.00 0.00 5640.00
57 2804911 1 3 11086 0.11 2 0 5596 5543.00 0.00 5543.00
58 2823788 1 4 5534 0.06 1 0 5534 5534.00 0.00 5534.00
59 2010142 1 4 5512 0.06 1 0 5512 5512.00 0.00 5512.00
60 2809255 1 3 10584 0.11 2 0 5474 5292.00 0.00 5292.00
61 2021978 1 6 28780 0.29 6 0 5436 4796.67 0.00 4796.67
62 2010140 1 7 5430 0.06 1 0 5430 5430.00 0.00 5430.00
63 2019010 1 3 5406 0.06 1 0 5406 5406.00 0.00 5406.00
64 2811034 1 1 28638 0.29 6 0 5380 4773.00 0.00 4773.00
65 2025200 1 1 10348 0.11 2 0 5348 5174.00 0.00 5174.00
66 2019017 1 3 5340 0.05 1 0 5340 5340.00 0.00 5340.00
67 2023622 1 3 10622 0.11 2 0 5330 5311.00 0.00 5311.00
68 2010143 1 3 5314 0.05 1 0 5314 5314.00 0.00 5314.00
69 2821129 1 2 9722 0.10 2 0 5294 4861.00 0.00 4861.00
70 2015986 1 5 14720 0.15 3 0 5250 4906.67 0.00 4906.67
71 2012236 1 2 9872 0.10 2 0 5202 4936.00 0.00 4936.00
72 2023620 1 3 5200 0.05 1 0 5200 5200.00 0.00 5200.00
73 2102523 1 8 38100 0.39 8 0 5130 4762.50 0.00 4762.50
74 2802876 1 3 18916 0.19 4 0 5026 4729.00 0.00 4729.00
75 2008118 1 3 4922 0.05 1 0 4922 4922.00 0.00 4922.00
76 2008119 1 3 4862 0.05 1 0 4862 4862.00 0.00 4862.00
77 2013075 1 8 4774 0.05 1 0 4774 4774.00 0.00 4774.00
78 2018558 1 5 9384 0.10 2 0 4760 4692.00 0.00 4692.00
79 2801347 1 5 8912 0.09 2 0 4458 4456.00 0.00 4456.00
|
1 2 3 4 5 6 7 8 | 2019-10-04 20:43:23,799 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-10-04 20:43:24,607 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-10-04 20:43:24,607 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-10-04 20:43:24,608 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-10-04 20:43:24,608 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-10-04 20:43:24,608 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9643989578cd1a9c5db9bba31ac1fc7d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10042019.2043-09406061e18ebb94a1df7e85224238a9b0a1e7b3948e0969a00c08aa84ed5ef7.pcap -vvv -k none
2019-10-04 20:43:50,337 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-10-04 20:43:50,338 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 26.5485432148
|