Filename: 2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.742800951 seconds
Hash: 98d1d89589ef10943fce05b8f98d15f7
Uploaded: 1558512857

Logfiles


suricata-4.0.0-etopen-all-alert-2019-05-22-T-08-14-27-05222019.0814-2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.txt - (2195 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
08/14/2018-15:26:36.525409  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 185.88.153.108:80 -> 10.8.14.101:49214
08/14/2018-15:26:36.540029  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.88.153.108:80 -> 10.8.14.101:49214
08/14/2018-15:27:10.043924  [**] [1:2020202:2] ET POLICY Terse Named Filename EXE Download - Possibly Hostile [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 195.208.1.102:80 -> 10.8.14.101:49219
08/14/2018-15:27:10.421288  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 195.208.1.102:80 -> 10.8.14.101:49219
08/14/2018-15:27:10.421288  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.208.1.102:80 -> 10.8.14.101:49219
08/14/2018-15:27:10.421288  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 195.208.1.102:80 -> 10.8.14.101:49219
08/14/2018-15:44:21.928389  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.8.14.101:49259 -> 75.80.225.46:8443
08/14/2018-15:44:24.361011  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.8.14.101:49259 -> 75.80.225.46:8443
08/14/2018-15:45:01.004685  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.8.14.101:49259 -> 75.80.225.46:8443
08/14/2018-16:29:06.611344  [**] [1:2018358:7] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.8.14.101:49336 -> 75.80.225.46:8443


suricata-4.0.0-etopen-all-perf.txt-2019-05-22-T-08-14-27-05222019.0814-2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.txt - (45526 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 5/22/2019 -- 08:14:27. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2024829      1        2        7633027      5.31   72       0        6164313     106014.26   0.00        106014.26  
  2        2016537      1        2        9815837      6.83   516      2        2581842     19022.94    63827.00    18848.61   
  3        2020865      1        3        6265068      4.36   44       0        523459      142387.91   0.00        142387.91  
  4        2017748      1        6        1894467      1.32   106      0        395039      17872.33    0.00        17872.33   
  5        2018382      1        8        507321       0.35   35       0        389329      14494.89    0.00        14494.89   
  6        2022535      1        11       10734216     7.47   142      0        298782      75593.07    0.00        75593.07   
  7        2016855      1        2        206594       0.14   1        0        206594      206594.00   0.00        206594.00  
  8        2021749      1        6        176330       0.12   1        0        176330      176330.00   0.00        176330.00  
  9        2012520      1        7        170306       0.12   1        1        170306      170306.00   170306.00   0.00       
  10       2016854      1        3        166006       0.12   1        0        166006      166006.00   0.00        166006.00  
  11       2018358      1        7        1604979      1.12   19       4        118601      84472.58    91540.50    82587.80   
  12       2023476      1        5        11198684     7.79   142      0        117034      78863.97    0.00        78863.97   
  13       2022627      1        12       9838298      6.84   142      0        112525      69283.79    0.00        69283.79   
  14       2018342      1        2        402509       0.28   4        0        106767      100627.25   0.00        100627.25  
  15       2018005      1        6        6279600      4.37   143      0        102728      43913.29    0.00        43913.29   
  16       2019344      1        5        1009187      0.70   19       2        98121       53115.11    54607.00    52939.59   
  17       2019837      1        3        106763       0.07   4        1        97408       26690.75    97408.00    3118.33    
  18       2019613      1        3        111144       0.08   6        1        96246       18524.00    96246.00    2979.60    
  19       2024769      1        2        521093       0.36   6        0        93028       86848.83    0.00        86848.83   
  20       2018982      1        2        130703       0.09   2        0        90212       65351.50    0.00        65351.50   
  21       2022467      1        2        108089       0.08   2        0        87810       54044.50    0.00        54044.50   
  22       2022050      1        3        123079       0.09   2        0        87208       61539.50    0.00        61539.50   
  23       2020569      1        1        123321       0.09   2        0        87196       61660.50    0.00        61660.50   
  24       2024771      1        1        3403108      2.37   451      0        86360       7545.69     0.00        7545.69    
  25       2024178      1        2        502095       0.35   19       0        85920       26426.05    0.00        26426.05   
  26       2017552      1        6        7552875      5.25   537      0        85383       14064.94    0.00        14064.94   
  27       2023875      1        2        629568       0.44   19       0        84584       33135.16    0.00        33135.16   
  28       2022220      1        2        714258       0.50   19       0        82239       37592.53    0.00        37592.53   
  29       2018377      1        3        180357       0.13   35       0        76431       5153.06     0.00        5153.06    
  30       2017669      1        5        165860       0.12   6        0        70318       27643.33    0.00        27643.33   
  31       2016858      1        10       578747       0.40   19       0        70314       30460.37    0.00        30460.37   
  32       2017613      1        9        618818       0.43   19       0        68976       32569.37    0.00        32569.37   
  33       2019693      1        5        558833       0.39   19       0        67428       29412.26    0.00        29412.26   
  34       2022339      1        2        860292       0.60   19       0        65094       45278.53    0.00        45278.53   
  35       2001330      1        8        3342464      2.33   1143     0        64928       2924.29     0.00        2924.29    
  36       2023315      1        2        688193       0.48   19       0        64208       36220.68    0.00        36220.68   
  37       2008575      1        5        631733       0.44   46       0        62886       13733.33    0.00        13733.33   
  38       2022198      1        2        440274       0.31   13       0        61914       33867.23    0.00        33867.23   
  39       2012612      1        16       528382       0.37   19       0        61211       27809.58    0.00        27809.58   
  40       2022262      1        3        651073       0.45   19       0        59581       34267.00    0.00        34267.00   
  41       2014473      1        5        1506199      1.05   106      0        58710       14209.42    0.00        14209.42   
  42       2019881      1        3        758188       0.53   19       0        57638       39904.63    0.00        39904.63   
  43       2017944      1        5        102385       0.07   3        0        57513       34128.33    0.00        34128.33   
  44       2022503      1        2        675072       0.47   19       0        56691       35530.11    0.00        35530.11   
  45       2023711      1        2        55951        0.04   1        0        55951       55951.00    0.00        55951.00   
  46       2018958      1        18       830183       0.58   19       0        55090       43693.84    0.00        43693.84   
  47       2022552      1        2        1592735      1.11   78       0        54739       20419.68    0.00        20419.68   
  48       2017261      1        3        82408        0.06   2        0        54731       41204.00    0.00        41204.00   
  49       2018789      1        3        522262       0.36   143      0        54452       3652.18     0.00        3652.18    
  50       2016948      1        2        1210457      0.84   81       0        53807       14943.91    0.00        14943.91   
  51       2018959      1        3        52275        0.04   1        1        52275       52275.00    52275.00    0.00       
  52       2020388      1        8        302633       0.21   21       0        51341       14411.10    0.00        14411.10   
  53       2021068      1        2        511693       0.36   13       13       51183       39361.00    39361.00    0.00       
  54       2020369      1        3        247797       0.17   6        0        51082       41299.50    0.00        41299.50   
  55       2020825      1        6        235540       0.16   8        0        50869       29442.50    0.00        29442.50   
  56       2025064      1        5        747081       0.52   21       0        50850       35575.29    0.00        35575.29   
  57       2018241      1        2        50411        0.04   1        0        50411       50411.00    0.00        50411.00   
  58       2011894      1        19       555177       0.39   19       0        50219       29219.84    0.00        29219.84   
  59       2016502      1        2        944651       0.66   64       0        50100       14760.17    0.00        14760.17   
  60       2020470      1        6        231360       0.16   8        0        49440       28920.00    0.00        28920.00   
  61       2017093      1        2        72825        0.05   2        0        48282       36412.50    0.00        36412.50   
  62       2021978      1        6        434222       0.30   143      0        47896       3036.52     0.00        3036.52    
  63       2013352      1        4        47872        0.03   1        0        47872       47872.00    0.00        47872.00   
  64       2103159      1        4        850595       0.59   285      0        47199       2984.54     0.00        2984.54    
  65       2024767      1        2        569042       0.40   19       0        46654       29949.58    0.00        29949.58   
  66       2009909      1        10       81260        0.06   2        0        46558       40630.00    0.00        40630.00   
  67       2013827      1        6        131647       0.09   4        0        46523       32911.75    0.00        32911.75   
  68       2014353      1        6        46346        0.03   1        0        46346       46346.00    0.00        46346.00   
  69       2021418      1        9        79541        0.06   2        0        46046       39770.50    0.00        39770.50   
  70       2009897      1        14       79178        0.06   2        0        45720       39589.00    0.00        39589.00   
  71       2008438      1        20       88908        0.06   2        0        45089       44454.00    0.00        44454.00   
  72       2013441      1        9        77207        0.05   2        0        44550       38603.50    0.00        38603.50   
  73       2022502      1        4        83928        0.06   2        0        43817       41964.00    0.00        41964.00   
  74       2018242      1        5        632576       0.44   19       0        43423       33293.47    0.00        33293.47   
  75       2021413      1        2        86634        0.06   2        0        43390       43317.00    0.00        43317.00   
  76       2014363      1        7        45312        0.03   2        0        42750       22656.00    0.00        22656.00   
  77       2020202      1        2        44972        0.03   2        1        41875       22486.00    41875.00    3097.00    
  78       2009028      1        11       41638        0.03   1        0        41638       41638.00    0.00        41638.00   
  79       2024650      1        1        1486408      1.03   108      0        41598       13763.04    0.00        13763.04   
  80       2024777      1        2        1013395      0.70   362      0        40892       2799.43     0.00        2799.43    
  81       2023670      1        3        686744       0.48   19       6        40545       36144.42    38712.50    34959.15   
  82       2008303      1        3        119202       0.08   19       0        40313       6273.79     0.00        6273.79    
  83       2014130      1        2        156286       0.11   45       0        40267       3473.02     0.00        3473.02    
  84       2020794      1        2        76939        0.05   3        0        40157       25646.33    0.00        25646.33   
  85       2022203      1        2        177906       0.12   6        0        40115       29651.00    0.00        29651.00   
  86       2022132      1        1        148449       0.10   39       0        38744       3806.38     0.00        3806.38    
  87       2014519      1        7        593415       0.41   29       0        37482       20462.59    0.00        20462.59   
  88       2020764      1        2        75613        0.05   3        0        37382       25204.33    0.00        25204.33   
  89       2018452      1        15       646686       0.45   19       0        37015       34036.11    0.00        34036.11   
  90       2018153      1        4        36116        0.03   1        0        36116       36116.00    0.00        36116.00   
  91       2018981      1        4        523609       0.36   19       0        36092       27558.37    0.00        27558.37   
  92       2012649      1        5        71544        0.05   2        0        36053       35772.00    0.00        35772.00   
  93       2023916      1        2        174425       0.12   6        0        35885       29070.83    0.00        29070.83   
  94       2019094      1        5        70744        0.05   2        0        35639       35372.00    0.00        35372.00   
  95       2022901      1        2        70384        0.05   2        0        35491       35192.00    0.00        35192.00   
  96       2024601      1        2        67203        0.05   2        0        35331       33601.50    0.00        33601.50   
  97       2019158      1        5        63097        0.04   2        0        35247       31548.50    0.00        31548.50   
  98       2020782      1        2        34456        0.02   1        0        34456       34456.00    0.00        34456.00   
  99       2022049      1        3        412206       0.29   19       0        34283       21695.05    0.00        21695.05   
  100      2020380      1        3        420342       0.29   19       0        34117       22123.26    0.00        22123.26   
  101      2016538      1        3        33927        0.02   1        1        33927       33927.00    33927.00    0.00       
  102      2020705      1        4        395115       0.27   19       0        33373       20795.53    0.00        20795.53   
  103      2024909      1        2        1047104      0.73   53       0        33244       19756.68    0.00        19756.68   
  104      2018010      1        5        405556       0.28   19       0        33147       21345.05    0.00        21345.05   
  105      2016223      1        10       392120       0.27   19       0        32922       20637.89    0.00        20637.89   
  106      2014405      1        10       63790        0.04   2        0        32792       31895.00    0.00        31895.00   
  107      2014967      1        3        53830        0.04   2        0        32784       26915.00    0.00        26915.00   
  108      2014520      1        6        600404       0.42   83       1        32703       7233.78     9895.00     7201.33    
  109      2019083      1        2        51557        0.04   2        0        32608       25778.50    0.00        25778.50   
  110      2017934      1        4        103064       0.07   5        0        32460       20612.80    0.00        20612.80   
  111      2019343      1        3        58923        0.04   2        0        32348       29461.50    0.00        29461.50   
  112      2022207      1        4        521963       0.36   19       0        32216       27471.74    0.00        27471.74   
  113      2009702      1        5        160440       0.11   12       0        31286       13370.00    0.00        13370.00   
  114      2018457      1        1        31093        0.02   1        0        31093       31093.00    0.00        31093.00   
  115      2018496      1        9        516808       0.36   19       0        30949       27200.42    0.00        27200.42   
  116      2015877      1        6        59912        0.04   2        0        30765       29956.00    0.00        29956.00   
  117      2013382      1        3        123726       0.09   6        0        30737       20621.00    0.00        20621.00   
  118      2102190      1        5        1552408      1.08   555      0        30153       2797.13     0.00        2797.13    
  119      2016503      1        2        924003       0.64   64       0        29409       14437.55    0.00        14437.55   
  120      2021073      1        2        164233       0.11   6        0        29240       27372.17    0.00        27372.17   
  121      2017948      1        2        57203        0.04   2        0        29159       28601.50    0.00        28601.50   
  122      2025162      1        2        29041        0.02   1        0        29041       29041.00    0.00        29041.00   
  123      2023083      1        2        57013        0.04   2        0        28575       28506.50    0.00        28506.50   
  124      2018983      1        7        498981       0.35   19       0        28437       26262.16    0.00        26262.16   
  125      2020181      1        8        5

This file has been truncated. Go here to download in full.


unified2.alert.1558512864 - (33162 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
4[rô¬aÑ!¹X™l
ePÀ>ú[rô¬[rô¬aÞEÐI÷¹X™l
ePÀ>Pž¯ÿÿÿ€€€÷ð’ðð0ð(	ð
ððB
ðSð¿Ëÿ	?ðå‚
9±$Zán^
=ÐÿVÿÿVÿÿVÿÿVÿÿVÿÿVÿÿVÿÿVÿÿVÿÿV		ÿÿV

ÿÿVÿÿVÿÿV

ÿÿVÿÿVÿÿVÿÿVÿÿÿÿProject.OmoMQRWfuf.AutoOpenProject.FJTmninS.falHjwulProject.FJTmninS.OuZZdNNqProject.FJTmninS.LnVCnProject.FJTmninS.ljsHIsKHRProject.FJTmninS.LNzmAduProject.FJTmninS.GwtqTZLtTvProject.FJTmninS.UClrdBdrKProject.FJTmninS.tFpibProject.FJTmninS.NmGinEProject.FJTmninS.sKkuIpnFqCProject.FJTmninS.IlZiOizKKkQProject.FJTmninS.mLrquNCUiHiProject.FJTmninS.rC4[rô¬=}Ñý¹X™l
ePÀ>ò[rô¬[rô¬=}ÖEÈ8ÿ¹X™l
ePÀ>Pa{¡)k	ÀF_7ÞObxG·‡1RSãR@¸Ž²]"M¦¢y\€ý-ÌXê4×¹}TM‹B·ÂY¯Ð
ÀFDocumentAutoOpen
@(rU€€€€~}
	ÿÿÿÿÿÿÿÿÿÿÿÿ	ÿÿÿÿ	19prU€€€		0Áé	™
49aaÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¹0üƘXrU€€€	ÿÿÿÿÿÿÿÿ@$`ÿÿÿÿÿÿÿÿÿÿnVäê„’òÁ@ó¡ÿÿ£ˆ¶ÿÿÿÿÿÿÿÿ<ÿÿ_7ÞObxG·‡1RSãR@¸Ž²]"M¦¢y\€ý-Ì__SRP_3ÿÿÿÿÿÿÿÿÿÿÿÿ$gFJTmninSÿÿÿÿàB´OmoMQRWfufÿÿÿÿÿÿÿÿ&Ë_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿ@Ÿ5
2000
	

 !"#$%&'()*+,-./0123456789:þÿÿÿ<=>?\ABCDEFGHIJKLMNOPQRSTUVWXYZþÿÿÿþÿÿÿ]þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿð\Ԉÿÿÿÿc‡€Á@ܽÿÿ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿHN@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ"ŒP€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿŒRÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿŒTÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ,ŒV@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ,ŒX€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.ŒZÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ!Œ\ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ*Œ^@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ*Œ`€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ4ŒbÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿŒdÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿŒf@ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.Œh€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ-ŒjÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ&Œlÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ3Œnÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ'Œÿÿÿÿ¸ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊšB(8¼H
 0|@
ÀÐà’ðˆ
 z°0
@
PN`
°
ÀЁ‚àh
x
ˆp˜,8P`pBx€
ˆ
˜
¨x¸
0$@hX€؁
èø:H
X
hJxȁ؁
èBø@`p8€&¸
à
ð		B	 	
(	8	H	*X	
ˆ	"˜	:À	



(
H8

€

 
Z°

 
8dH"°
؁ è^&h&
¸ÈØBàè
ð


. 
P
`
`p
Ð

à
tð
hxˆ4˜Ð
èøl
xˆ<˜
؁
è
ø\hx"ˆv°
(8H.X"ˆ°À`Ё>0p
ˆ
˜¨B°¸ÀÐ4è 0t@"¸àRøP``pÐà ðb
xˆ
˜H¨ð
@ &`ˆB 
èø8
P`pf€
èøL4[rôΫ”ÓjÃÐf
ePÀCú[rôÎ[rôΫ”ÞEÐׅÃÐf
ePÀCPGHTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Aug 2018 15:27:09 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.31
Expires: Tue, 01 Jan 1970 00:00:00 GMT
Last-Modified: Tue, 14 Aug 2018 15:27:09 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="15.exe"
Content-Transfer-Encoding: binary

3695
MZÿÿ¸@к´	Í!¸LÍ!This program cannot be run in DOS mode.

$E×FÀ¶(“¶(“¶(“ýÁ‘“¶(“듶(“¶)“=¶(“¶(“¶(“äó“¶(“äö“¶(“Rich¶(“PEL”îr[à0@ð@@€±¥>6@ˆCÈ0Ø0pL @8@˜®@.crtÐ*0 `.rdata¤@@@@.dataPP@ÀCONST'¸pÀ`@ À.rsrcØ00@ @@.relocLp`@B¢[rôÎ[rôΫ”†ExÑÝÃÐf
ePÀCP^4[rôÎm¨Ώ!ÃÐf
ePÀCú[rôÎ[rôÎm¨ÞEÐׅÃÐf
ePÀCP$­Ü#B¸sÎ
éy)}õÊuH÷¦`@_ÕՕpˆúÝV†QjDÁtÝÝ<ºçU¾éa»E˜~o…eâíœz¹õ>ƒ£`@@„n¹rY2eZ•v(mxÃ/SõÁé€h––àN‡’|)î(ƒå­Êu`c@·a“…SZ»NtÞS»SåyTÇ/S1òJ³Ùg![yO~}Êéî÷ˆyîa£`@·Ô韩Þ}êPj͊Læ@˜3 6S1eGÓ
,ðm¸E<d|ÉvzÁûÂõÊô>±a@·]F›µ]>TjÏkd"¹T˜\SŸº±â×r,‹e“ˮ慫tBÁ?J‘¶d)õ @BáœÓÅSøVBO;Ç"0kZßc<sÜB,ÿ“þ*§!k:½}S-Ùö’x¶}éû.´dÿ]qZÆW‰«rÛw„vhâ˜3P.$´QÆÊc»EØ~<Á¾ç;.‚Î5
µ`£ç„t¶¥ãÞû}æPjϊL&˜3H¹3e¾7êMiµ€wÍ
6…JÃõÊa¥KNoÕ`“…ܳ}¦ëSlD6µf/Üòî 럩%´Gkú’æ).€öþ¬>Ë_:ÀhfÞÃ}^‹a1…:X4¹Tš%?“qeGÓ
üfòá3‡’Í)î(ƒå©Êu`£ç„`Ÿ¸a“…ûpÎ4í¯õÈZ¬ãyTšdSºqâ}ü!”õ´N¡S-¥€æ](¢_ïÔÔÇXÅ«rÙnhÁ¬)T¸—UiIÛ
ôðm¸ýœt|ÉlækÏ­Ëu`,¤d+½£”…Sü^¦TjÏÂLfzT¡3w¼éâ?éØgªØ/ƒÉ¡Òr:Á©\Át_›`´6ae!דoâ6&Ûîhæ(âyÝS<3Þ}‰Ö5üo	Õì*ùuÊ]G*üiG
uéÇëÄۄ`“…ܳ}6œŽ\¿t<*.R´]¾elëæ5+ƒ¡UmM÷ÁõS¹„.¬dÏ]¬·;dO1	kD6(eqT˜dSÇ@êUéØô&‚Gkú	îmï÷Jùîä>S`@·]¤·‰Ü»}:‹œŽXãØxS’/Þu‰6-üەö‚0нÊròÁ‚Ezu`,¤d»_¬·™Ü»}:êÝ`C5«ÚyßS<§Üu‰2elOç5+ƒ¡UmM÷ÁõS¹„.¬dË]¬·;ÎO1	kD6(eqTš\SË@©†5ü۬؟…	¡NêUzu`,td@ „——“iÜCiCÁ¬T¸WUM;œéØòe¸¸_uÛ)F±ò€¦x¶…égŸé•¯¿`ÊKùa0Ã_ ¹ã™¡„C¨r©t[¤Tö´?uh¨t;™‚éM9pwŒñ4¶Óðè8¿AúOiõ7«ÚyÜ\¤a½µŽè[_!£Šì‚Ê|T.íÁøЫŠø$#¦G)éxØ©òEJ•vσ0KÝT¸ !î{Ôßêå¬S†W@Õy©|Åe
uëo—™@HÒ7ák½G8í7eáyT¡t?¥7©ftKÚÄõ+úªÀ”èLÊå -|QB!PÚ3ù•C*/ò€G©¤xTºÈ%ž°>¼Ùë«‘`ããøø
!÷ÁõÊuµ£ˆã,¿_¥››§är6Ùnh¿t}<d.Rb%ASñ5*‡ú[‘`«Œémî÷ÁõþEqùã,ç_¥›òf žÍJLk¾H˜e܆Q¦‹Î×f¬áé¶K™
9wƒ€ù‘»l£`@~h“•So 8PjD5úeedÈ/S1趏rOªáÙ:~M}ÊéyâßJùî­,¬d»¼?€„R ½O@õUÁÖÒG¡Cwø©â“¢[rôÎ[rôÎm¨†ExÑÝÃÐf
ePÀCP¾MéØg!qOªљöÀ€]éÇHÀœÓ_L‡SoYµúPó‰±/]Ȏ£t;¼²šº*òv|~?ÁîíÖ¥ßÀôUÂH£¯„ËÈéç©Wøž
êCSC5áåyT›'Sº²¢.c¬	ùOâxhÉè]‚éUÊH£ôœød“…S6švâ$jDýi*y´ºÈ
,D[éØg!”õ+ÁEÊéî÷ÁõSºD¥èDÃ{¾òâ~x²PjD‹±ÇÌ×û<º˜9ðçt(»ª¨´F¡S.օh¨ôÉ­.±”@è„Ê7WiO÷Iµ{"yÝ<ud½ögºa”€€â¿òrúÁßÏÜÉtí'A³€·_µ{•{â>&8d*5'o†ÿbX/ކMGÑasE|Ûù|
ØyòßJ7êZã`ÉüÃ;œoâwõñ„v(k¾K™5ߓqeFì䞬à»péÉÖ
ÖIÝÀôUÂH£ähËø(闩ܻ}6êRC5³/aß`l¸gUîoÑ®Q “­,ú}}M­øT„[0£o9'`@·Ô`è8ÅäwÛ·PÁ}ê7O.1Nçeê¦ð‘•Sˆ½
ÒSÎD(<рëo«;¶Ó_Y…;˜/3ÐÙÚE”…¥	©˜ý†©²QvéØòfœ€8úñ½Ê£»iÍ~éâšB¡×aeWâü+ó¹è¡›¡„ÛºªBžp7h!”€p‚‰Oe.Ý÷ÀÖSU']³€·u˜ÓÅSn)µîTó%ýiæ;§OöT÷¸þtå«aÔõ´?ý|›lÚ¥€FqÉt_Éa@·u¨ÓÅSn)»‡ÈiC5özTÐnS1eIÜuc¼±ÅÆ´ñ|Éèwe(“€Wé_¢W1BIì”w܄Y¦BPS)6(â1e/Þ~ñGY×f ½\Ì2:èíœî·€Á Z£éÕ#Ó_’„*ø:½—¼iC5±3ÝßpW1e¾Š(§a”ôû}i‰SÊwž¾ù”È .m„÷`
»nX1!í0>³ïŔO¸Ø•d½Žè©ðŠ“ù||S:ö&øˆ6Îu`£”÷`’UÖ[e»‡°iC5É:¹”ÿܶÁ½Žèelôç5+‡ÊUþî7Á~°Ýª,ÞL@*h“µ]UjÏCŒ"¹T˜‡R0d½`r]» “ôÌV½½Êè¾&|ôÉt @÷w`ÅSðêPj¢•…¤}Tu~•¹_tÝéØg!”‘{KÏ~’ê¾íßãóÉtºsûý:Æù³bŽÝ2PjD‹±Çϧf™ß1e¾.ðòn¨€€
òÖtk¥z¿õSºP£ðLÉ¼éiÜì9A†3kD6³'YÝ<Õd½q|g!”x$ú¦r;uE¸Ëu`¥è<Ë?t`“…ÞÄ93ÌÙ@Çü,mö4šd>W´^¾>¬ð–d~xƌaêî(€aëo‹aèÊëiÞÌ%½W ó‰þ³'MÝTܺ˜ùîOr%#ªé­´o1G™wú£L:Š­Þ.µøBI¾ÞÌAká_¿mŠ™ËQöbÈ,Ɗߛhªá™´O?…wÐz´u`.¥Ü:”XTmTòQ2‹•þSºýâyTš]ÓÖñmIÜ}a¬±B·…Â	U6~¬®Ò~ öF²`@BQø”ƒÞÌAkà_ýÁ¥ž²Rªös,[rïªáy´Oýeíœö6÷µâë_#!(Ã_í„Rnä‡êy;Ï«ãGÝЛVºê6Žè×ðÖô*ù
:èíœkÖàÊ咢_?:¼j
¿nX1vaUmÁmÆáƒ.R4fGÔòò¦ô*ù…U9ò(lqö»ÝδZÉ¿]°—˜÷Üò۷ȹéäüL¡|㺪Jžnf “€pš…S³yŸÂçUòré;:—dÊ÷ú¥:ÓcDE½¢ÉçQ!bÃ)ÞSߜhªñ­´G)G­wò·Ðzfs_$$Ì·Ô`òà±Ì˜h¶ÐªœVñ˜Ø/S1ºGt?+¾¢€+ú}õyêÿL5æþBáål€·Ô`ZÇ[oi2¬H6(ãy/S1îoè¨ê
¤¼+ú}}Êt;}€ÍSº<å??¶d“…S +¿w5÷Á µ?hÝTðº˜îct%?LÕ)¶GQ¹wêÃJR’þÕÞ,Ý@)~Ô3ñ2Pɟ”…¥™Ë£|¾zÀ)Øðïrû{þ
wñŀ9énÇhÉüŒéà9Üä	KiCî-âyTšeކ¿`r䋬ṴF¡‘-¥üÁõÊþ¥Æ‹Û¶Óí 9“¯Y½Wí;±¸Ñë-ގ)ŠõÙ`¤Uù¶w]€r*Á‚¥Sф.½@0„›˜⇦Ùßä¿u~ѧ¢M0dK”§!BãeN‰Ë¹q]ÿLSKë—;a>B1”X܋}»vtnÏ«ðkíx¡t纺Nw$Òf !úß:½}U6¦ÈÍöš`¥ø<Ë,xa…g“âv&Tõ‰Æ±&\˜m»;þ?½Žt%û¬¥€ –»UFÎ&å€EéfÇdÉ3øhÙw{äŽÙ¶hF±'Ýdœ¸Ð±MNjè×&”õ+…Ê	U>ržÈJî­â,¬d»›¤·XoY2‹ÕæC5'Êè.èX1e¾>¸ò–öƒ‘¡U>®&Kåù‘¹„"¨`@·]å„Rnâ¿vOiCg¼xSšeãÖòsIämÙ8¬	­®À~þÈEï÷Jz:t_,­@I¢	mX1ëhC5¸79bo…Ô徏éc¬)!Bû‡ÒQ‘.¾÷ÁõU倥 ÉzW#Ϙ;är>Ùnh¿mª™Û¡sw5îSr%'ª	±´w5'ÖÿôÀôUº(£§„(þ·_’L˜CZ2P1‰*âyTÖ]W1e¾V.ȧ!”õò?eÊéî(<‰~ΙHÓ_?B!~Søžâvl›Áu’ü'£„@0£êÉðn@~p¢fÊéîU÷ÅõÊ­Î.qÉËøëèMÜÃ}6ɔŽL6,âyÝT¼‘
d½6Œò2j󃱡S.Ž&L]Ý"Q_.­Ü@”eà¼)»J\õ‘þ±ê@”/S1,þ“éÜg!:çùM¶ùyê¿LJ–xª^,td@ „—˜AÉPjÅú¨âyTmwŠ°ôð7t%®éɶoE€;õyLNÒþ¥®,XŸòãs†Ü´é»úRc÷ÿü;¡tß¼ªNPÉÜhã:·»]€Ë«¯„ùÂïUwéü0Ý@NlÇ[ø³6‹‚õ‰ò±/Sߛc¼²RªÙòvxí"ò‚"ß&<E~!égK

This file has been truncated. Go here to download in full.


packet_stats.log - (12789 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          5298          2239101      767313265     556911144       2950.5b   99.84
 IPv4      17            12         17927592      703100878     403856185          4.8b    0.16
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          5298            66122       17047442        188341        997.8m   93.49
TMM_FLOWWORKER              IPv4      17            12           277744        9853151       1168203         14.0m    1.31
TMM_RECEIVEPCAPFILE         IPv4       6          5152             2532        4386634          6155         31.7m    2.97
TMM_RECEIVEPCAPFILE         IPv4      17            12             2557           9456          3248         39.0k    0.00
TMM_DECODEPCAPFILE          IPv4       6          5152             2643        4445742          4590         23.7m    2.22
TMM_DECODEPCAPFILE          IPv4      17            12             2763          17227          4557         54.7k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          5152             2796       14140150          6104         31.5m  3.47  
flow                    IPv4      17            12             3039          55389          8555        102.7k  0.01  
stream                  IPv4       6          5298             2579         323749         10898         57.7m  6.37  
app-layer               IPv4      17            12            10754          41135         20018        240.2k  0.03  
detect                  IPv4       6          5298            44550       17006689        150666        798.2m  88.03 
detect                  IPv4      17            12           212742         413712        299297          3.6m  0.40  
tcp-prune               IPv4       6          5298             2533          44318          2918         15.5m  1.71  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            16             5671          33176         13713        219.4k  18.10 
tls                     IPv4       6           286             2663          17872          3138        897.5k  74.02 
dns                     IPv4      17            12             5135          19191          7962         95.5k  7.88  
Proto detect            IPv4      17            12             6579          15704          9026        108.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             8            22798          91459         44715        357.7k  1.59  
LOGGER_UNIFIED2             IPv4       6             8            20839         179691         77389        619.1k  2.75  
LOGGER_JSON_ALERT           IPv4       6             8            45058         116155         66673        533.4k  2.37  
LOGGER_JSON_DNS             IPv4      17            12            36801        9314857        823822          9.9m  43.89 
LOGGER_JSON_HTTP            IPv4       6            23            34239         341539         94187          2.2m  9.62  
LOGGER_JSON_TLS             IPv4       6           143            32189          92997         46706          6.7m  29.65 
LOGGER_JSON_FILE            IPv4       6            27            47138         189803         84516          2.3m  10.13 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1864             2544        7922931         21385        39.9m  21.15 
payload                           IPv4      17            12            15734          38079         23319       279.8k  0.15  
stream                            IPv4       6          1864             2524        6053682         31194        58.1m  30.85 
http_uri                          IPv4       6            23             3494          27927          7690       176.9k  0.09  
http_request_line                 IPv4       6            23             3395           9261          6384       146.8k  0.08  
http_client_body                  IPv4       6            23             2840          36609          7701       177.1k  0.09  
http_header (request)             IPv4       6            23            15448         149746         53470         1.2m  0.65  
http_header (request trailer)     IPv4       6            23             2599           2816          2644        60.8k  0.03  
http_header_names (request)       IPv4       6            23             5142          70214         17827       410.0k  0.22  
http_accept (request)             IPv4       6            23             3080           7668          3832        88.1k  0.05  
http_referer (request)            IPv4       6            23             2853           3522          3087        71.0k  0.04  
http_content_len (request)        IPv4       6            23             2880           4637          3515        80.8k  0.04  
http_content_type (request)       IPv4       6            23             2847          17347          3903        89.8k  0.05  
http_start (request)              IPv4       6            23             5830          30049         12389       285.0k  0.15  
http_raw_header (request)         IPv4       6            23             8253          51599         14823       340.9k  0.18  
http_method                       IPv4       6            23             2921           5459          4457       102.5k  0.05  
http_cookie (request)             IPv4       6            23             2928          50934         12295       282.8k  0.15  
http_raw_uri                      IPv4       6            23             2664           6290          3583        82.4k  0.04  
http_user_agent                   IPv4       6            23             2991          36954         22708       522.3k  0.28  
http_host                         IPv4       6            23             2890           8458          4548       104.6k  0.06  
dns_query                         IPv4      17             6             7508          21710         13306        79.8k  0.04  
tls_sni                           IPv4       6           143             2910          29590          3938       563.2k  0.30  
http_response_line                IPv4       6            23             3221          11163          6676       153.6k  0.08  
http_header (response)            IPv4       6            23             6338          61309         29229       672.3k  0.36  
http_header (response trailer)    IPv4       6            23             2605          81839          7376       169.7k  0.09  
http_content_type (response)      IPv4       6            23             3061           7688          4970       114.3k  0.06  
http_raw_header (response)        IPv4       6           577             3465          17929          4449         2.6m  1.36  
http_cookie (response)            IPv4       6            23             2805           3981          3106        71.5k  0.04  
http_stat_code                    IPv4       6            23             2829           5124          3771        86.8k  0.05  
tls_cert_issuer                   IPv4       6           143             3153           7257          3836       548.6k  0.29  
tls_cert_subject                  IPv4       6           143             3002          17263          3918       560.4k  0.30  
tls_cert_serial                   IPv4       6           143             3058          18841          3883       555.3k  0.29  
file_data (http response)         IPv4       6           577             2575        8704501        138311        79.8m  42.34 
Total                             IPv4                  6001                                         31409       188.5m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           338             3262          52789         16123          5.4m  0.59  
PROF_DETECT_IPONLY          IPv4      17            12            18846          83102         30718        368.6k  0.04  
PROF_DETECT_RULES           IPv4       6          5298             2518       14134053         40237        213.2m  23.22 
PROF_DETECT_RULES           IPv4      17            12            98127         258023        151619          1.8m  0.20  
PROF_DETECT_STATEFUL_START    IPv4       6           778             5106         975294         36728         28.6m  3.11  
PROF_DETECT_STATEFUL_CONT    IPv4       6          5298             2512         411736          5179         27.4m  2.99  
PROF_DETECT_STATEFUL_CONT    IPv4      17            12             3984          30279          6490         77.9k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          4622             2541         104173          2773         12.8m  1.40  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             2699           3305          2913         35.0k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          5298             7809        8885437         58399        309.4m  33.70 
PROF_DETECT_PREFILTER       IPv4      17            12            43893          80146         57362        688.4k  0.07  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1864            13280        7938156         60888        113.5m  12.36 
PROF_DETECT_PF_PAYLOAD      IPv4      17            12            20916          43358         28592        343.1k  0.04  
PROF_DETECT_PF_TX           IPv4       6          4622             2548        8724336         25144        116.2m  12.66 
PROF_DETECT_PF_TX           IPv4      17             6            13800          27433         19256        115.5k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1723             2518          35103          3043          5.2m  0.57  
PROF_DETECT_PF_SORT1        IPv4      17            12             3145           4034          3508         42.1k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          5298             2507          89936          2852         15.1m  1.65  
PROF_DETECT_PF_SORT2        IPv4      17            12             2980           4061          3385         40.6k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          5298             2519          43385          2942         15.6m  1.70  
PROF_DETECT_NONMPMLIST      IPv4      17            12             2897           4052          3276         39.3k  0.00  
PROF_DETECT_ALERT           IPv4       6          5298             2514          57787          2779         14.7m  1.60  
PROF_DETECT_ALERT           IPv4      17            12             2542           4076          2905         34.9k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          5298             2547          83756          2882         15.3m  1.66  
PROF_DETECT_CLEANUP         IPv4      17            12             2955           5198          3733         44.8k  0.00  
PROF_DETECT_GETSGH          IPv4       6          5298             2516        5014643          4134         21.9m  2.39  
PROF_DETECT_GETSGH          IPv4      17            12             5468           6188          5791         69.5k  0.01  


stats.log - (3389 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 5/22/2019 -- 08:14:27 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 5164
decoder.bytes                              | Total                     | 4393111
decoder.ipv4                               | Total                     | 5164
decoder.ethernet                           | Total                     | 5164
decoder.tcp                                | Total                     | 5152
decoder.udp                                | Total                     | 12
decoder.avg_pkt_size                       | Total                     | 850
decoder.max_pkt_size                       | Total                     | 20494
flow.tcp                                   | Total                     | 169
flow.udp                                   | Total                     | 6
tcp.sessions                               | Total                     | 169
tcp.syn                                    | Total                     | 193
tcp.synack                                 | Total                     | 157
tcp.rst                                    | Total                     | 15
tcp.overlap                                | Total                     | 1
detect.alert                               | Total                     | 10
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 14
app_layer.tx.http                          | Total                     | 23
app_layer.flow.tls                         | Total                     | 143
app_layer.flow.dns_udp                     | Total                     | 6
app_layer.tx.dns_udp                       | Total                     | 6
flow_mgr.closed_pruned                     | Total                     | 11
flow_mgr.new_pruned                        | Total                     | 12
flow_mgr.est_pruned                        | Total                     | 6
flow.spare                                 | Total                     | 10029
flow_mgr.flows_checked                     | Total                     | 175
flow_mgr.flows_notimeout                   | Total                     | 20
flow_mgr.flows_timeout                     | Total                     | 155
flow_mgr.flows_timeout_inuse               | Total                     | 126
flow_mgr.flows_removed                     | Total                     | 29
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65361
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7124704


eve.json - (83623 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2018-08-14T15:26:32.979518+0000","flow_id":396171888095806,"pcap_cnt":1,"event_type":"dns","src_ip":"10.8.14.101","src_port":60378,"dest_ip":"10.8.14.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59459,"rrname":"sano.ir","rrtype":"A","tx_id":0}}
{"timestamp":"2018-08-14T15:26:33.597846+0000","flow_id":396171888095806,"pcap_cnt":2,"event_type":"dns","src_ip":"10.8.14.1","src_port":53,"dest_ip":"10.8.14.101","dest_port":60378,"proto":"UDP","dns":{"type":"answer","id":59459,"rcode":"NOERROR","rrname":"sano.ir","rrtype":"A","ttl":14399,"rdata":"185.88.153.108"}}
{"timestamp":"2018-08-14T15:26:34.831034+0000","flow_id":943093023699230,"pcap_cnt":9,"event_type":"http","src_ip":"10.8.14.101","src_port":49214,"dest_ip":"185.88.153.108","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sano.ir","url":"\/Aug2018\/US_us\/Invoice-for-sent\/Order-0928739634","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:26:34.832718+0000","flow_id":943093023699230,"pcap_cnt":11,"event_type":"fileinfo","src_ip":"185.88.153.108","src_port":80,"dest_ip":"10.8.14.101","dest_port":49214,"proto":"TCP","http":{"hostname":"sano.ir","url":"\/Aug2018\/US_us\/Invoice-for-sent\/Order-0928739634","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/sano.ir\/Aug2018\/US_us\/Invoice-for-sent\/Order-0928739634\/","length":1147},"app_proto":"http","fileinfo":{"filename":"\/Aug2018\/US_us\/Invoice-for-sent\/Order-0928739634","gaps":false,"state":"CLOSED","stored":false,"size":1147,"tx_id":0}}
{"timestamp":"2018-08-14T15:26:36.525409+0000","flow_id":943093023699230,"pcap_cnt":74,"event_type":"alert","src_ip":"185.88.153.108","src_port":80,"dest_ip":"10.8.14.101","dest_port":49214,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-08-14T15:26:36.540029+0000","flow_id":943093023699230,"pcap_cnt":89,"event_type":"alert","src_ip":"185.88.153.108","src_port":80,"dest_ip":"10.8.14.101","dest_port":49214,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-08-14T15:26:36.957174+0000","flow_id":943093023699230,"pcap_cnt":144,"event_type":"http","src_ip":"10.8.14.101","src_port":49214,"dest_ip":"185.88.153.108","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"sano.ir","url":"\/Aug2018\/US_us\/Invoice-for-sent\/Order-0928739634\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-08-14T15:27:08.973397+0000","flow_id":561983397878357,"pcap_cnt":146,"event_type":"dns","src_ip":"10.8.14.101","src_port":60824,"dest_ip":"10.8.14.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58352,"rrname":"organicprom.ru","rrtype":"A","tx_id":0}}
{"timestamp":"2018-08-14T15:27:09.437684+0000","flow_id":561983397878357,"pcap_cnt":147,"event_type":"dns","src_ip":"10.8.14.1","src_port":53,"dest_ip":"10.8.14.101","dest_port":60824,"proto":"UDP","dns":{"type":"answer","id":58352,"rcode":"NOERROR","rrname":"organicprom.ru","rrtype":"A","ttl":3598,"rdata":"195.208.1.102"}}
{"timestamp":"2018-08-14T15:27:09.845183+0000","flow_id":1935097327369425,"pcap_cnt":154,"event_type":"http","src_ip":"10.8.14.101","src_port":49219,"dest_ip":"195.208.1.102","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"organicprom.ru","url":"\/xh9Y4","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:27:09.845213+0000","flow_id":1935097327369425,"pcap_cnt":155,"event_type":"fileinfo","src_ip":"195.208.1.102","src_port":80,"dest_ip":"10.8.14.101","dest_port":49219,"proto":"TCP","http":{"hostname":"organicprom.ru","url":"\/xh9Y4","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/organicprom.ru\/xh9Y4\/","length":327},"app_proto":"http","fileinfo":{"filename":"\/xh9Y4","gaps":false,"state":"CLOSED","stored":false,"size":327,"tx_id":0}}
{"timestamp":"2018-08-14T15:27:10.043924+0000","flow_id":1935097327369425,"pcap_cnt":159,"event_type":"alert","src_ip":"195.208.1.102","src_port":80,"dest_ip":"10.8.14.101","dest_port":49219,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2020202,"rev":2,"signature":"ET POLICY Terse Named Filename EXE Download - Possibly Hostile","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-08-14T15:27:10.421288+0000","flow_id":1935097327369425,"pcap_cnt":179,"event_type":"alert","src_ip":"195.208.1.102","src_port":80,"dest_ip":"10.8.14.101","dest_port":49219,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-08-14T15:27:10.421288+0000","flow_id":1935097327369425,"pcap_cnt":179,"event_type":"alert","src_ip":"195.208.1.102","src_port":80,"dest_ip":"10.8.14.101","dest_port":49219,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-08-14T15:27:10.421288+0000","flow_id":1935097327369425,"pcap_cnt":179,"event_type":"alert","src_ip":"195.208.1.102","src_port":80,"dest_ip":"10.8.14.101","dest_port":49219,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-08-14T15:27:11.209332+0000","flow_id":1935097327369425,"pcap_cnt":252,"event_type":"http","src_ip":"10.8.14.101","src_port":49219,"dest_ip":"195.208.1.102","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"organicprom.ru","url":"\/xh9Y4\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-08-14T15:27:32.171468+0000","flow_id":119318300018721,"pcap_cnt":259,"event_type":"http","src_ip":"10.8.14.101","src_port":49220,"dest_ip":"216.21.168.27","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:28:32.415312+0000","flow_id":119318300018721,"pcap_cnt":261,"event_type":"fileinfo","src_ip":"216.21.168.27","src_port":80,"dest_ip":"10.8.14.101","dest_port":49220,"proto":"TCP","http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-08-14T15:28:33.645277+0000","flow_id":947611336988413,"pcap_cnt":404,"event_type":"http","src_ip":"10.8.14.101","src_port":49234,"dest_ip":"216.21.168.27","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:28:33.667251+0000","flow_id":947611336988413,"pcap_cnt":406,"event_type":"fileinfo","src_ip":"216.21.168.27","src_port":80,"dest_ip":"10.8.14.101","dest_port":49234,"proto":"TCP","http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":172500},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":172500,"tx_id":0}}
{"timestamp":"2018-08-14T15:28:34.353435+0000","flow_id":947611336988413,"pcap_cnt":530,"event_type":"http","src_ip":"10.8.14.101","src_port":49234,"dest_ip":"216.21.168.27","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:28:34.438978+0000","flow_id":947611336988413,"pcap_cnt":532,"event_type":"fileinfo","src_ip":"216.21.168.27","src_port":80,"dest_ip":"10.8.14.101","dest_port":49234,"proto":"TCP","http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":154356},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":154356,"tx_id":1}}
{"timestamp":"2018-08-14T15:28:34.689115+0000","flow_id":947611336988413,"pcap_cnt":534,"event_type":"http","src_ip":"10.8.14.101","src_port":49234,"dest_ip":"216.21.168.27","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-08-14T15:29:39.765276+0000","flow_id":947611336988413,"pcap_cnt":535,"event_type":"fileinfo","src_ip":"216.21.168.27","src_port":80,"dest_ip":"10.8.14.101","dest_port":49234,"proto":"TCP","http":{"hostname":"216.21.168.27","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":2}}
{"timestamp":"2018-08-14T15:30:35.075310+0000","flow_id":1583249324975662,"pcap_cnt":537,"event_type":"dns","src_ip":"10.8.14.101","src_port":54029,"dest_ip":"10.8.14.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10404,"rrname":"theeunload.website","rrtype":"A","tx_id":0}}
{"timestamp":"2018-08-14T15:30:35.427464+0000","flow_id":1583249324975662,"pcap_cnt":538,"event_type":"dns","src_ip":"10.8.14.1","src_port":53,"dest_ip":"10.8.14.101","dest_port":54029,"proto":"UDP","dns":{"type":"answer","id":10404,"rcode":"NOERROR","rrname":"theeunload.website","rrtype":"A","ttl":598,"rdata":"178.132.7.104"}}
{"timestamp":"2018-08-14T15:30:36.501325+0000","flow_id":973806350604362,"pcap_cnt":545,"event_type":"tls","src_ip":"10.8.14.101","src_port":49235,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:30:38.955752+0000","flow_id":1093223621381987,"pcap_cnt":560,"event_type":"tls","src_ip":"10.8.14.101","src_port":49237,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:30:40.593560+0000","flow_id":1154199272286392,"pcap_cnt":584,"event_type":"tls","src_ip":"10.8.14.101","src_port":49238,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:30:42.847079+0000","flow_id":1754201908600607,"pcap_cnt":599,"event_type":"tls","src_ip":"10.8.14.101","src_port":49239,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:35:45.750223+0000","flow_id":2075688820554979,"pcap_cnt":1065,"event_type":"tls","src_ip":"10.8.14.101","src_port":49240,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:35:46.975171+0000","flow_id":602725491533646,"pcap_cnt":1080,"event_type":"tls","src_ip":"10.8.14.101","src_port":49241,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:35:48.817800+0000","flow_id":447367934599476,"pcap_cnt":1101,"event_type":"tls","src_ip":"10.8.14.101","src_port":49242,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:35:49.841717+0000","flow_id":1052674855593639,"pcap_cnt":1116,"event_type":"tls","src_ip":"10.8.14.101","src_port":49243,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:40:35.014651+0000","flow_id":1273693891410235,"pcap_cnt":1131,"event_type":"dns","src_ip":"10.8.14.101","src_port":58831,"dest_ip":"10.8.14.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54163,"rrname":"www.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-08-14T15:40:35.041750+0000","flow_id":1273693891410235,"pcap_cnt":1132,"event_type":"dns","src_ip":"10.8.14.1","src_port":53,"dest_ip":"10.8.14.101","dest_port":58831,"proto":"UDP","dns":{"type":"answer","id":54163,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":33,"rdata":"172.217.9.164"}}
{"timestamp":"2018-08-14T15:40:35.096931+0000","flow_id":1586187121960955,"pcap_cnt":1139,"event_type":"tls","src_ip":"10.8.14.101","src_port":49246,"dest_ip":"172.217.9.164","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=www.google.com","issuerdn":"C=US, O=Google Trust Services, CN=Google Internet Authority G3"}}
{"timestamp":"2018-08-14T15:40:36.701705+0000","flow_id":2175946261200999,"pcap_cnt":1213,"event_type":"tls","src_ip":"10.8.14.101","src_port":49247,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:40:38.152952+0000","flow_id":1104369100846556,"pcap_cnt":1228,"event_type":"tls","src_ip":"10.8.14.101","src_port":49248,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN=domain.com\/O=My Company Name LTD.\/C=US"}}
{"timestamp":"2018-08-14T15:40:52.060465+0000","flow_id":1119483091677882,"pcap_cnt":1248,"event_type":"tls","src_ip":"10.8.14.101","src_port":49249,"dest_ip":"178.132.7.104","dest_port":443,"proto":"TCP","tls":{"subject":"CN=domain.com\/O=My Company Name LTD.\/C=US","issuerdn":"CN

This file has been truncated. Go here to download in full.


suricata-report-2019-05-22-T-08-14-27-05222019.0814-2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap.txt - (18173 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/98d1d89589ef10943fce05b8f98d15f7d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/05222019.0814-2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap -vvv -k none
elapsedtime:8.796340
stderr:
stdout:
22/5/2019 -- 08:14:18 - <Info> - Configuration node 'rule-files' redefined.
22/5/2019 -- 08:14:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/5/2019 -- 08:14:18 - <Info> - CPUs/cores online: 1
22/5/2019 -- 08:14:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33669 and 'request-body-inspect-window' set to 15649 after randomization.
22/5/2019 -- 08:14:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33131 and 'response-body-inspect-window' set to 15710 after randomization.
22/5/2019 -- 08:14:18 - <Config> - DNS request flood protection level: 500
22/5/2019 -- 08:14:18 - <Config> - DNS per flow memcap (state-memcap): 524288
22/5/2019 -- 08:14:18 - <Config> - DNS global memcap: 16777216
22/5/2019 -- 08:14:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/5/2019 -- 08:14:18 - <Config> - preallocated 1000 hosts of size 136
22/5/2019 -- 08:14:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/5/2019 -- 08:14:18 - <Config> - using magic-file /usr/share/file/magic
22/5/2019 -- 08:14:18 - <Config> - Core dump size is unlimited.
22/5/2019 -- 08:14:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/5/2019 -- 08:14:18 - <Config> - preallocated 1000 defrag trackers of size 168
22/5/2019 -- 08:14:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/5/2019 -- 08:14:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/5/2019 -- 08:14:18 - <Config> - stream "memcap": 33554432
22/5/2019 -- 08:14:18 - <Config> - stream "midstream" session pickups: disabled
22/5/2019 -- 08:14:18 - <Config> - stream "async-oneside": disabled
22/5/2019 -- 08:14:18 - <Config> - stream "checksum-validation": disabled
22/5/2019 -- 08:14:18 - <Config> - stream."inline": disabled
22/5/2019 -- 08:14:18 - <Config> - stream "bypass": disabled
22/5/2019 -- 08:14:18 - <Config> - stream "max-synack-queued": 5
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly "memcap": 134217728
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly "depth": 0
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly "toserver-chunk-size": 2608
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly "toclient-chunk-size": 2633
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly.raw: enabled
22/5/2019 -- 08:14:18 - <Config> - stream.reassembly "segment-prealloc": 2048
22/5/2019 -- 08:14:18 - <Config> - Delayed detect disabled
22/5/2019 -- 08:14:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/5/2019 -- 08:14:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/5/2019 -- 08:14:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/5/2019 -- 08:14:18 - <Config> - prefilter engines: MPM
22/5/2019 -- 08:14:18 - <Config> - IP reputation disabled
22/5/2019 -- 08:14:18 - <Perf> - Registered 148 keyword profiling counters.
22/5/2019 -- 08:14:18 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
22/5/2019 -- 08:14:18 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
22/5/2019 -- 08:14:18 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
22/5/2019 -- 08:14:19 - <Config> - No rules loaded from ET-emerging-icmp.rules.
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
22/5/2019 -- 08:14:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
22/5/2019 -- 08:14:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
22/5/2019 -- 08:14:22 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
22/5/2019 -- 08:14:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
22/5/2019 -- 08:14:23 - <Config> - No rules loaded from local.rules.
22/5/2019 -- 08:14:23 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
22/5/2019 -- 08:14:23 - <Info> - Threshold config parsed: 0 rule(s) found
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tcp-packet
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tcp-stream
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for udp-packet
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for other-ip
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_uri
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_request_line
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_client_body
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_response_line
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_header
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_header
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_header_names
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_header_names
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_accept
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_accept_enc
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_accept_lang
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_referer
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_connection
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_content_len
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_content_len
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_content_type
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_content_type
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_protocol
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_protocol
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_start
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_start
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_raw_header
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_raw_header
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_method
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_cookie
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_cookie
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_raw_uri
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_user_agent
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_host
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_raw_host
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_stat_msg
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_stat_code
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for dns_query
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tls_sni
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for dce_stub_data
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for dce_stub_data
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for ssh_protocol
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for ssh_protocol
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for ssh_software
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for ssh_software
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for file_data
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for file_data
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_request_line
22/5/2019 -- 08:14:23 - <Perf> - using shared mpm ctx' for http_response_line
22/5/2019 -- 08:14:23 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
22/5/2019 -- 08:14:23 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/5/2019 -- 08:14:23 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
22/5/2019 -- 08:14:23 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
22/5/2019 -- 08:14:23 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
22/5/2019 -- 08:14:23 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
22/5/2019 -- 08:14:23 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
22/5/2019 -- 08:14:23 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/5/2019 -- 08:14:24 - <Perf> - Unique rule groups: 111
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toserver TCP packet": 31
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toclient TCP packet": 20
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toserver TCP stream": 31
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toclient TCP stream": 21
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toserver UDP packet": 33
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "toclient UDP packet": 15
22/5/2019 -- 08:14:24 - <Perf> - Builtin MPM "other IP packet": 2
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_uri": 8
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_header": 6
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_header": 3
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_header_names": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_start": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_method": 3
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_cookie": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_cookie": 2
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver http_host": 2
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver dns_query": 4
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver tls_sni": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toserver file_data": 1
22/5/2019 -- 08:14:24 - <Perf> - AppLayer MPM "toclient file_data": 5
22/5/2019 -- 08:14:24 - <Perf> - Registered 18241 rule profiling counters.
22/5/2019 -- 08:14:24 - <Info> - fast output device (regular) initialized: alert
22/5/2019 -- 08:14:24 - <Info> - eve-log output device (regular) initialized: eve.json
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'alert'
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'http'
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'dns'
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'tls'
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'files'
22/5/2019 -- 08:14:24 - <Config> - enabling 'eve-log' module 'ssh'
22/5/2019 -- 08:14:24 - <Info> - Unified2-alert initialized: filename unified2.alert, 

This file has been truncated. Go here to download in full.


keyword_perf.log - (12890 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 5/22/2019 -- 08:14:27
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             11503558        2956            2956            2570343         3891.00         3891.00         0.00           
  content          32610987        6366            3354            462248          5122.00         5309.00         4914.00        
  pcre             4778097         1336            958             133906          3576.00         3372.00         4093.00        
  byte_test        692492          208             171             16767           3329.00         3429.00         2864.00        
  byte_jump        342805          111             10              5071            3088.00         3045.00         3092.00        
  isdataat         16790           6               0               2875            2798.00         0.00            2798.00        
  flowbits         2473574         854             60              19292           2896.00         3923.00         2818.00        
  urilen           567286          185             44              15172           3066.00         3320.00         2986.00        
  byte_extract     25741           7               7               4190            3677.00         3677.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             11503558        2956            2956            2570343         3891.00         3891.00         0.00           
  flowbits         2336383         827             33              19292           2825.00         2975.00         2818.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18898253        4232            2352            50956           4465.00         4271.00         4708.00        
  pcre             3810224         1153            856             133906          3304.00         3119.00         3836.00        
  byte_test        692492          208             171             16767           3329.00         3429.00         2864.00        
  byte_jump        321926          104             3               5071            3095.00         3190.00         3092.00        
  isdataat         16790           6               0               2875            2798.00         0.00            2798.00        
  byte_extract     25741           7               7               4190            3677.00         3677.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         137191          27              27              18624           5081.00         5081.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          532884          154             28              16093           3460.00         4457.00         3238.00        
  pcre             352401          79              27              17551           4460.00         5273.00         4038.00        
  urilen           567286          185             44              15172           3066.00         3320.00         2986.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13680           4               4               3875            3420.00         3420.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          66752           21              0               4019            3178.00         0.00            3178.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8238105         729             82              462248          11300.00        49943.00        6403.00        
  byte_jump        20879           7               7               3543            2982.00         2982.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3085250         739             595             69480           4174.00         4092.00         4516.00        
  pcre             609817          103             75              19970           5920.00         5570.00         6859.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          145178          43              13              4800            3376.00         3470.00         3335.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4465            1               0               4465            4465.00         0.00            4465.00        
  pcre             5655            1               0               5655            5655.00         0.00            5655.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          257701          75              27              16188           3436.00         3639.00         3321.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1344959         361             247             39264           3725.00         3761.00         3647.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3603            1               0               3603            3603.00         0.00            3603.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20157           6               6               3584            3359.00         3359.00         0.00           


IDSDeathBlossom.py.log - (1201 bytes) - download
1
2
3
4
5
6
7
8
2019-05-22 08:14:17,600 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-05-22 08:14:18,356 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-05-22 08:14:18,356 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-05-22 08:14:18,357 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-05-22 08:14:18,357 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-05-22 08:14:18,357 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/98d1d89589ef10943fce05b8f98d15f7d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/05222019.0814-2018-08-14-Emotet-infection-traffic-with-Zeus-Panda-Banker.pcap -vvv -k none
2019-05-22 08:14:27,155 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-05-22 08:14:27,156 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.56383395195