Filename: 2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 25.8949389458 seconds
Hash: 9b967977c969634423f830705d972152
Uploaded: 1542805373

Logfiles


packet_stats.log - (12532 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           346          2831505      110692477      72126966         25.0b   99.40
 IPv4      17             8         13703038       25045826      18814982        150.5m    0.60
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           346            68093       14568358        306921        106.2m   83.24
TMM_FLOWWORKER              IPv4      17             8           409343       15703777       2414938         19.3m   15.14
TMM_RECEIVEPCAPFILE         IPv4       6           338             2540           4628          3024          1.0m    0.80
TMM_RECEIVEPCAPFILE         IPv4      17             8             2810           7955          3555         28.4k    0.02
TMM_DECODEPCAPFILE          IPv4       6           338             2654          12606          2863        967.8k    0.76
TMM_DECODEPCAPFILE          IPv4      17             8             2767          20996          5341         42.7k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           338             2842          15722          3355          1.1m  1.11  
flow                    IPv4      17             8             3260          13044          5879         47.0k  0.05  
stream                  IPv4       6           346             2855         287826         11260          3.9m  3.80  
app-layer               IPv4      17             8            10484          42170         18814        150.5k  0.15  
detect                  IPv4       6           346            45649       14520592        268837         93.0m  90.76 
detect                  IPv4      17             8           282689         538045        397465          3.2m  3.10  
tcp-prune               IPv4       6           346             2546          17610          3074          1.1m  1.04  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             7             3078          46659         11530         80.7k  59.83 
dns                     IPv4      17             8             4809          13391          6773         54.2k  40.17 
Proto detect            IPv4      17             8             4638          19207          9062         72.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             5            22944          42002         30408        152.0k  0.87  
LOGGER_ALERT_FAST           IPv4      17             2            14560          71618         43089         86.2k  0.49  
LOGGER_UNIFIED2             IPv4       6             5            30279          87935         50926        254.6k  1.46  
LOGGER_UNIFIED2             IPv4      17             2            18026         107375         62700        125.4k  0.72  
LOGGER_JSON_ALERT           IPv4       6             5            45292          86945         59183        295.9k  1.69  
LOGGER_JSON_ALERT           IPv4      17             2            49532          59825         54678        109.4k  0.63  
LOGGER_JSON_DNS             IPv4      17             8            29059       15078059       1923222         15.4m  88.12 
LOGGER_JSON_HTTP            IPv4       6             6            38681         151151         99131        594.8k  3.41  
LOGGER_JSON_FILE            IPv4       6             4            66810         160638        114228        456.9k  2.62  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           242             2605         183384         22695         5.5m  14.23 
payload                           IPv4      17             8            23368          39279         28052       224.4k  0.58  
stream                            IPv4       6           242             2540       14298127        106155        25.7m  66.57 
http_uri                          IPv4       6             6             4857          34392         15416        92.5k  0.24  
http_request_line                 IPv4       6             6             4850          19856          8652        51.9k  0.13  
http_client_body                  IPv4       6             6             3090           8319          4072        24.4k  0.06  
http_header (request)             IPv4       6             6            41986         100210         67133       402.8k  1.04  
http_header (request trailer)     IPv4       6             6             2597           2678          2647        15.9k  0.04  
http_header_names (request)       IPv4       6             6            10889          23532         15976        95.9k  0.25  
http_accept (request)             IPv4       6             6             3756           7345          5138        30.8k  0.08  
http_referer (request)            IPv4       6             6             3374           6765          5081        30.5k  0.08  
http_content_len (request)        IPv4       6             6             3002           4806          3621        21.7k  0.06  
http_content_type (request)       IPv4       6             6             2969           3538          3269        19.6k  0.05  
http_protocol (request)           IPv4       6             6             4627           5911          5125        30.8k  0.08  
http_start (request)              IPv4       6             6             9243          16369         13162        79.0k  0.20  
http_raw_header (request)         IPv4       6             6            10644          19073         14491        86.9k  0.23  
http_method                       IPv4       6             6             3916           6541          5471        32.8k  0.09  
http_cookie (request)             IPv4       6             6             3108           4223          3442        20.7k  0.05  
http_raw_uri                      IPv4       6             6             3019           7301          5251        31.5k  0.08  
http_user_agent                   IPv4       6             6            12803          29454         19860       119.2k  0.31  
http_host                         IPv4       6             6             5696          21581          9852        59.1k  0.15  
dns_query                         IPv4      17             4             9027          12116         10455        41.8k  0.11  
http_response_line                IPv4       6             6             3395          10281          8148        48.9k  0.13  
http_header (response)            IPv4       6             6            34347          69342         48017       288.1k  0.75  
http_header (response trailer)    IPv4       6             5             2683          13329          5935        29.7k  0.08  
http_content_type (response)      IPv4       6             6             3650           9517          6598        39.6k  0.10  
http_raw_header (response)        IPv4       6           218             3696          39850          4790         1.0m  2.71  
http_cookie (response)            IPv4       6             6             2947           8446          4285        25.7k  0.07  
http_stat_code                    IPv4       6             6             2855           4553          3904        23.4k  0.06  
file_data (http response)         IPv4       6           213             2569        1659181         20632         4.4m  11.39 
Total                             IPv4                  1070                                         36064        38.6m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8             8427          56776         30601        244.8k  0.17  
PROF_DETECT_IPONLY          IPv4      17             8            37084          83740         54514        436.1k  0.31  
PROF_DETECT_RULES           IPv4       6           346             2562        2769050         74809         25.9m  18.32 
PROF_DETECT_RULES           IPv4      17             8           123328         283215        210717          1.7m  1.19  
PROF_DETECT_STATEFUL_START    IPv4       6           108             5095        1551976         88225          9.5m  6.74  
PROF_DETECT_STATEFUL_CONT    IPv4       6           346             2514          97032         10577          3.7m  2.59  
PROF_DETECT_STATEFUL_CONT    IPv4      17             8             6051          43198         12255         98.0k  0.07  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           330             2554           4316          2672        882.0k  0.62  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             8             2634           3745          3077         24.6k  0.02  
PROF_DETECT_PREFILTER       IPv4       6           346             7972       14379575        142155         49.2m  34.81 
PROF_DETECT_PREFILTER       IPv4      17             8            47196          81688         62573        500.6k  0.35  
PROF_DETECT_PF_PAYLOAD      IPv4       6           242            14635       14325159        137150         33.2m  23.49 
PROF_DETECT_PF_PAYLOAD      IPv4      17             8            28472          44386         33316        266.5k  0.19  
PROF_DETECT_PF_TX           IPv4       6           330             2551        1673471         29715          9.8m  6.94  
PROF_DETECT_PF_TX           IPv4      17             4            14739          18485         16631         66.5k  0.05  
PROF_DETECT_PF_SORT1        IPv4       6           171             2525          32689          3465        592.5k  0.42  
PROF_DETECT_PF_SORT1        IPv4      17             8             3545           5618          4315         34.5k  0.02  
PROF_DETECT_PF_SORT2        IPv4       6           346             2545          24530          2968          1.0m  0.73  
PROF_DETECT_PF_SORT2        IPv4      17             8             3155           4373          3731         29.8k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6           346             2554          19276          2894          1.0m  0.71  
PROF_DETECT_NONMPMLIST      IPv4      17             8             2894           3750          3250         26.0k  0.02  
PROF_DETECT_ALERT           IPv4       6           346             2519          16180          2708        937.3k  0.66  
PROF_DETECT_ALERT           IPv4      17             8             2601          15251          6509         52.1k  0.04  
PROF_DETECT_CLEANUP         IPv4       6           346             2571          27334          2940          1.0m  0.72  
PROF_DETECT_CLEANUP         IPv4      17             8             3044           4489          3720         29.8k  0.02  
PROF_DETECT_GETSGH          IPv4       6           346             2516          40827          2976          1.0m  0.73  
PROF_DETECT_GETSGH          IPv4      17             8             5808          20996          8092         64.7k  0.05  


suricata-4.0.0-etpro-all-perf.txt-2018-11-21-T-13-03-19-11212018.1302-2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap.txt - (35799 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/21/2018 -- 13:03:19. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820157      1        2        960305       4.43   5        0        305596      192061.00   0.00        192061.00  
  2        2820158      1        2        946303       4.37   5        0        288484      189260.60   0.00        189260.60  
  3        2816922      1        5        322742       1.49   6        0        185257      53790.33    0.00        53790.33   
  4        2816931      1        3        242774       1.12   6        0        107465      40462.33    0.00        40462.33   
  5        2018375      1        3        538637       2.49   28       0        96328       19237.04    0.00        19237.04   
  6        2816910      1        2        382394       1.76   6        0        86968       63732.33    0.00        63732.33   
  7        2024771      1        1        914534       4.22   204      0        86825       4483.01     0.00        4483.01    
  8        2814570      1        4        257218       1.19   4        0        85744       64304.50    0.00        64304.50   
  9        2816909      1        2        386736       1.78   6        0        84696       64456.00    0.00        64456.00   
  10       2815817      1        5        232992       1.08   6        0        81257       38832.00    0.00        38832.00   
  11       2022547      1        1        263565       1.22   63       0        76015       4183.57     0.00        4183.57    
  12       2024140      1        2        74860        0.35   1        0        74860       74860.00    0.00        74860.00   
  13       2816927      1        3        249823       1.15   6        0        69023       41637.17    0.00        41637.17   
  14       2821839      1        2        196841       0.91   4        0        68504       49210.25    0.00        49210.25   
  15       2823169      1        2        67925        0.31   1        0        67925       67925.00    0.00        67925.00   
  16       2816940      1        2        345673       1.59   6        0        65153       57612.17    0.00        57612.17   
  17       2022466      1        5        59976        0.28   1        1        59976       59976.00    59976.00    0.00       
  18       2820851      1        5        230301       1.06   6        0        56816       38383.50    0.00        38383.50   
  19       2816925      1        3        224479       1.04   6        0        55238       37413.17    0.00        37413.17   
  20       2814472      1        4        158021       0.73   4        0        51212       39505.25    0.00        39505.25   
  21       2100540      1        12       85061        0.39   12       0        51004       7088.42     0.00        7088.42    
  22       2816929      1        4        236149       1.09   6        0        50823       39358.17    0.00        39358.17   
  23       2016537      1        2        1278975      5.90   88       0        48589       14533.81    0.00        14533.81   
  24       2827279      1        5        159271       0.73   6        0        48449       26545.17    0.00        26545.17   
  25       2025064      1        5        245628       1.13   6        0        48075       40938.00    0.00        40938.00   
  26       2009702      1        5        130525       0.60   8        0        47758       16315.62    0.00        16315.62   
  27       2017552      1        6        1381947      6.38   94       0        47534       14701.56    0.00        14701.56   
  28       2012810      1        10       149253       0.69   4        4        46421       37313.25    37313.25    0.00       
  29       2809363      1        3        44871        0.21   1        0        44871       44871.00    0.00        44871.00   
  30       2014967      1        3        44813        0.21   1        0        44813       44813.00    0.00        44813.00   
  31       2021413      1        2        43448        0.20   1        0        43448       43448.00    0.00        43448.00   
  32       2816327      1        4        217710       1.00   6        0        43419       36285.00    0.00        36285.00   
  33       2816525      1        10       214983       0.99   6        0        42774       35830.50    0.00        35830.50   
  34       2810889      1        3        42322        0.20   1        0        42322       42322.00    0.00        42322.00   
  35       2022502      1        4        167375       0.77   6        0        41127       27895.83    0.00        27895.83   
  36       2829393      1        1        186975       0.86   6        0        40914       31162.50    0.00        31162.50   
  37       2821615      1        2        192884       0.89   6        0        40772       32147.33    0.00        32147.33   
  38       2829644      1        1        127939       0.59   4        0        39926       31984.75    0.00        31984.75   
  39       2816928      1        3        205813       0.95   6        0        39671       34302.17    0.00        34302.17   
  40       2019343      1        3        183338       0.85   6        0        39641       30556.33    0.00        30556.33   
  41       2020181      1        8        39529        0.18   1        0        39529       39529.00    0.00        39529.00   
  42       2816930      1        4        171014       0.79   6        0        39486       28502.33    0.00        28502.33   
  43       2807970      1        8        39447        0.18   1        0        39447       39447.00    0.00        39447.00   
  44       2828060      1        4        157307       0.73   5        0        38982       31461.40    0.00        31461.40   
  45       2016706      1        20       38845        0.18   1        0        38845       38845.00    0.00        38845.00   
  46       2022147      1        2        38783        0.18   1        0        38783       38783.00    0.00        38783.00   
  47       2015781      1        2        66526        0.31   2        0        38105       33263.00    0.00        33263.00   
  48       2024133      1        2        38065        0.18   1        0        38065       38065.00    0.00        38065.00   
  49       2823855      1        7        56929        0.26   2        0        37796       28464.50    0.00        28464.50   
  50       2816526      1        13       176162       0.81   6        0        37532       29360.33    0.00        29360.33   
  51       2023916      1        2        37184        0.17   1        0        37184       37184.00    0.00        37184.00   
  52       2019094      1        5        37140        0.17   1        0        37140       37140.00    0.00        37140.00   
  53       2021418      1        9        36687        0.17   1        0        36687       36687.00    0.00        36687.00   
  54       2024134      1        2        35706        0.16   1        0        35706       35706.00    0.00        35706.00   
  55       2821471      1        2        35546        0.16   1        0        35546       35546.00    0.00        35546.00   
  56       2812614      1        2        35193        0.16   1        0        35193       35193.00    0.00        35193.00   
  57       2811399      1        2        35064        0.16   1        0        35064       35064.00    0.00        35064.00   
  58       2022901      1        2        34656        0.16   1        0        34656       34656.00    0.00        34656.00   
  59       2829394      1        1        195420       0.90   6        0        34622       32570.00    0.00        32570.00   
  60       2815659      1        3        34517        0.16   1        0        34517       34517.00    0.00        34517.00   
  61       2830124      1        1        119119       0.55   4        0        34458       29779.75    0.00        29779.75   
  62       2024135      1        2        34386        0.16   1        0        34386       34386.00    0.00        34386.00   
  63       2819673      1        4        192348       0.89   6        0        34296       32058.00    0.00        32058.00   
  64       2024142      1        2        34233        0.16   1        0        34233       34233.00    0.00        34233.00   
  65       2815568      1        2        34038        0.16   1        0        34038       34038.00    0.00        34038.00   
  66       2008116      1        4        34003        0.16   1        0        34003       34003.00    0.00        34003.00   
  67       2024136      1        2        33917        0.16   1        0        33917       33917.00    0.00        33917.00   
  68       2024138      1        2        33906        0.16   1        0        33906       33906.00    0.00        33906.00   
  69       2024137      1        2        33447        0.15   1        0        33447       33447.00    0.00        33447.00   
  70       2828986      1        2        119414       0.55   4        0        33246       29853.50    0.00        29853.50   
  71       2024141      1        2        32633        0.15   1        0        32633       32633.00    0.00        32633.00   
  72       2024139      1        2        32627        0.15   1        0        32627       32627.00    0.00        32627.00   
  73       2021266      1        2        130241       0.60   8        0        31916       16280.12    0.00        16280.12   
  74       2020855      1        3        140584       0.65   6        0        31717       23430.67    0.00        23430.67   
  75       2015877      1        6        31150        0.14   1        0        31150       31150.00    0.00        31150.00   
  76       2816857      1        2        135762       0.63   6        0        30826       22627.00    0.00        22627.00   
  77       2014701      1        12       108011       0.50   8        0        30784       13501.38    0.00        13501.38   
  78       2809511      1        4        30146        0.14   1        0        30146       30146.00    0.00        30146.00   
  79       2017567      1        3        56441        0.26   2        0        30043       28220.50    0.00        28220.50   
  80       2816328      1        5        161073       0.74   6        0        30025       26845.50    0.00        26845.50   
  81       2823858      1        3        29923        0.14   1        0        29923       29923.00    0.00        29923.00   
  82       2021701      1        1        58391        0.27   11       0        29768       5308.27     0.00        5308.27    
  83       2016726      1        6        58558        0.27   2        0        29708       29279.00    0.00        29279.00   
  84       2829848      1        2        109014       0.50   4        0        29444       27253.50    0.00        27253.50   
  85       2025162      1        2        114244       0.53   4        0        28980       28561.00    0.00        28561.00   
  86       2823166      1        3        28813        0.13   1        0        28813       28813.00    0.00        28813.00   
  87       2824975      1        2        28691        0.13   1        0        28691       28691.00    0.00        28691.00   
  88       2816165      1        5        133163       0.61   6        0        28669       22193.83    0.00        22193.83   
  89       2821569      1        7        28343        0.13   1        0        28343       28343.00    0.00        28343.00   
  90       2807793      1        4        28334        0.13   1        0        28334       28334.00    0.00        28334.00   
  91       2816924      1        4        159526       0.74   6        0        28244       26587.67    0.00        26587.67   
  92       2823663      1        3        50385        0.23   2        0        28061       25192.50    0.00        25192.50   
  93       2017948      1        2        28004        0.13   1        0        28004       28004.00    0.00        28004.00   
  94       2017261      1        3        27962        0.13   1        0        27962       27962.00    0.00        27962.00   
  95       2812433      1        2        27928        0.13   1        0        27928       27928.00    0.00        27928.00   
  96       2828008      1        2        130383       0.60   6        0        27667       21730.50    0.00        21730.50   
  97       2816831      1        2        48842        0.23   2        0        27224       24421.00    0.00        24421.00   
  98       2001195      1        9        37270        0.17   2        0        27000       18635.00    0.00        18635.00   
  99       2819931      1        2        26589        0.12   1        0        26589       26589.00    0.00        26589.00   
  100      2024606      1        2        26326        0.12   1        0        26326       26326.00    0.00        26326.00   
  101      2100540      1        12       61690        0.28   12       0        26280       5140.83     0.00        5140.83    
  102      2816832      1        2        46999        0.22   2        0        26202       23499.50    0.00        23499.50   
  103      2012707      1        5        91990        0.42   4        0        25315       22997.50    0.00        22997.50   
  104      2001330      1        8        603641       2.79   208      0        24175       2902.12     0.00        2902.12    
  105      2815886      1        2        67485        0.31   3        0        23572       22495.00    0.00        22495.00   
  106      2816356      1        2        22934        0.11   1        0        22934       22934.00    0.00        22934.00   
  107      2014130      1        2        39359        0.18   7        0        22826       5622.71     0.00        5622.71    
  108      2809267      1        8        86267        0.40   4        0        22592       21566.75    0.00        21566.75   
  109      2804626      1        9        128229       0.59   6        0        22499       21371.50    0.00        21371.50   
  110      2826256      1        2        126165       0.58   6        0        22452       21027.50    0.00        21027.50   
  111      2811740      1        2        128247       0.59   6        0        22344       21374.50    0.00        21374.50   
  112      2021248      1        7        124324       0.57   8        0        22335       15540.50    0.00        15540.50   
  113      2822463      1        2        22292        0.10   1        0        22292       22292.00    0.00        22292.00   
  114      2828190      1        2        127267       0.59   6        0        22248       21211.17    0.00        21211.17   
  115      2810481      1        4        59180        0.27   3        0        22139       19726.67    0.00        19726.67   
  116      2022467      1        2        83310        0.38   4        0        22013       20827.50    0.00        20827.50   
  117      2830035      1        2        86400        0.40   4        0        21932       21600.00    0.00        21600.00   
  118      2816899      1        2        21775        0.10   1        0        21775       21775.00    0.00        21775.00   
  119      2024829      1        2        21768        0.10   1        0        21768       21768.00    0.00        21768.00   
  120      2024909      1        2        21679        0.10   1        0        21679       21679.00    0.00        21679.00   
  121      2830036      1        1        42891        0.20   2        0        21659       21445.50    0.00        21445.50   
  122      2829607      1        1        84054        0.39   4        0        21449       21013.50    0.00        21013.50   
  123      2021267      1        2        118082       0.54   8        0        21349       14760.25    0.00        14760.25   
  124      2816863      1        2        21233        0.10   1        0        21233       21233.00    0.00        21233.00   
  125      2825027      1        3        

This file has been truncated. Go here to download in full.


stats.log - (2759 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
------------------------------------------------------------------------------------
Date: 11/21/2018 -- 13:03:19 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 346
decoder.bytes                              | Total                     | 302307
decoder.ipv4                               | Total                     | 346
decoder.ethernet                           | Total                     | 346
decoder.tcp                                | Total                     | 338
decoder.udp                                | Total                     | 8
decoder.avg_pkt_size                       | Total                     | 873
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 4
flow.udp                                   | Total                     | 4
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.reassembly_gap                         | Total                     | 1
detect.alert                               | Total                     | 7
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 4
app_layer.tx.http                          | Total                     | 6
app_layer.flow.dns_udp                     | Total                     | 4
app_layer.tx.dns_udp                       | Total                     | 4
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 2
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65534
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076608


eve.json - (10603 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{"timestamp":"2018-01-05T23:37:48.511234+0000","flow_id":211744241536258,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.5.104","src_port":57668,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33279,"rrname":"sunrisegolf.club","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-05T23:37:48.682244+0000","flow_id":211744241536258,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.5.1","src_port":53,"dest_ip":"10.1.5.104","dest_port":57668,"proto":"UDP","dns":{"type":"answer","id":33279,"rcode":"NOERROR","rrname":"sunrisegolf.club","rrtype":"A","ttl":5,"rdata":"193.41.214.6"}}
{"timestamp":"2018-01-05T23:37:49.539638+0000","flow_id":2074347003734878,"pcap_cnt":18,"event_type":"http","src_ip":"10.1.5.104","src_port":49167,"dest_ip":"193.41.214.6","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sunrisegolf.club","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-05T23:38:08.100633+0000","flow_id":490169792760089,"pcap_cnt":19,"event_type":"dns","src_ip":"10.1.5.104","src_port":61684,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57887,"rrname":"kodmax.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-05T23:38:08.359189+0000","flow_id":490169792760089,"pcap_cnt":20,"event_type":"dns","src_ip":"10.1.5.1","src_port":53,"dest_ip":"10.1.5.104","dest_port":61684,"proto":"UDP","dns":{"type":"answer","id":57887,"rcode":"NOERROR","rrname":"kodmax.com","rrtype":"A","ttl":5,"rdata":"138.128.176.210"}}
{"timestamp":"2018-01-05T23:38:09.106280+0000","flow_id":14959578742481,"pcap_cnt":27,"event_type":"http","src_ip":"10.1.5.104","src_port":49189,"dest_ip":"138.128.176.210","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"kodmax.com","url":"\/wp-content\/plugins\/twitter-widget-pro\/lib\/class.widget.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-05T23:38:09.108490+0000","flow_id":2244384760375242,"pcap_cnt":28,"event_type":"alert","src_ip":"10.1.5.104","src_port":53998,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012811,"rev":2,"signature":"ET DNS Query to a .tk domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-01-05T23:38:09.108490+0000","flow_id":2244384760375242,"pcap_cnt":28,"event_type":"dns","src_ip":"10.1.5.104","src_port":53998,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41878,"rrname":"nn0blecalling305011.tk","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-05T23:38:09.262035+0000","flow_id":2244384760375242,"pcap_cnt":29,"event_type":"dns","src_ip":"10.1.5.1","src_port":53,"dest_ip":"10.1.5.104","dest_port":53998,"proto":"UDP","dns":{"type":"answer","id":41878,"rcode":"NOERROR","rrname":"nn0blecalling305011.tk","rrtype":"A","ttl":5,"rdata":"204.155.28.5"}}
{"timestamp":"2018-01-05T23:38:09.844895+0000","flow_id":1084062838096299,"pcap_cnt":36,"event_type":"alert","src_ip":"10.1.5.104","src_port":49191,"dest_ip":"204.155.28.5","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-05T23:38:09.844895+0000","flow_id":1084062838096299,"pcap_cnt":36,"event_type":"http","src_ip":"10.1.5.104","src_port":49191,"dest_ip":"204.155.28.5","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"nn0blecalling305011.tk","url":"\/index\/?2101505838590","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-05T23:38:09.848153+0000","flow_id":498057500291353,"pcap_cnt":37,"event_type":"alert","src_ip":"10.1.5.104","src_port":59359,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012811,"rev":2,"signature":"ET DNS Query to a .tk domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-01-05T23:38:09.848153+0000","flow_id":498057500291353,"pcap_cnt":37,"event_type":"dns","src_ip":"10.1.5.104","src_port":59359,"dest_ip":"10.1.5.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33244,"rrname":"nn0blesapport605011234567.tk","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-05T23:38:10.054218+0000","flow_id":498057500291353,"pcap_cnt":38,"event_type":"dns","src_ip":"10.1.5.1","src_port":53,"dest_ip":"10.1.5.104","dest_port":59359,"proto":"UDP","dns":{"type":"answer","id":33244,"rcode":"NOERROR","rrname":"nn0blesapport605011234567.tk","rrtype":"A","ttl":5,"rdata":"185.159.83.48"}}
{"timestamp":"2018-01-05T23:38:10.054218+0000","flow_id":498057500291353,"pcap_cnt":38,"event_type":"dns","src_ip":"10.1.5.1","src_port":53,"dest_ip":"10.1.5.104","dest_port":59359,"proto":"UDP","dns":{"type":"answer","id":33244,"rcode":"NOERROR","rrname":"nn0blesapport605011234567.tk","rrtype":"A","ttl":5,"rdata":"185.159.83.47"}}
{"timestamp":"2018-01-05T23:38:10.911119+0000","flow_id":1449472213309176,"pcap_cnt":47,"event_type":"alert","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-05T23:38:11.177791+0000","flow_id":1449472213309176,"pcap_cnt":59,"event_type":"http","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"nn0blesapport605011234567.tk","url":"\/?number=44-163-074-0014","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-05T23:38:11.178271+0000","flow_id":1449472213309176,"pcap_cnt":61,"event_type":"fileinfo","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.5.104","dest_port":49192,"proto":"TCP","http":{"hostname":"nn0blesapport605011234567.tk","url":"\/?number=44-163-074-0014","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_refer":"http:\/\/sunrisegolf.club\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":12421},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":12410,"tx_id":0}}
{"timestamp":"2018-01-05T23:38:11.462157+0000","flow_id":1449472213309176,"pcap_cnt":64,"event_type":"alert","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-05T23:38:11.463994+0000","flow_id":1449472213309176,"pcap_cnt":77,"event_type":"http","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"nn0blesapport605011234567.tk","url":"\/landinf\/defender.png","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"image\/png"}}
{"timestamp":"2018-01-05T23:38:19.844278+0000","flow_id":1084062838096299,"pcap_cnt":81,"event_type":"alert","src_ip":"204.155.28.5","src_port":80,"dest_ip":"10.1.5.104","dest_port":49191,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022466,"rev":5,"signature":"ET CURRENT_EVENTS Possible Keitaro TDS Redirect","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-05T23:38:19.984605+0000","flow_id":1449472213309176,"pcap_cnt":84,"event_type":"fileinfo","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.5.104","dest_port":49192,"proto":"TCP","http":{"hostname":"nn0blesapport605011234567.tk","url":"\/landinf\/defender.png","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"image\/png","http_refer":"http:\/\/nn0blesapport605011234567.tk\/?number=44-163-074-0014","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13386},"app_proto":"http","fileinfo":{"filename":"\/landinf\/defender.png","gaps":false,"state":"CLOSED","stored":false,"size":13386,"tx_id":1}}
{"timestamp":"2018-01-05T23:38:20.253119+0000","flow_id":1449472213309176,"pcap_cnt":87,"event_type":"alert","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":2,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-05T23:38:20.791916+0000","flow_id":1449472213309176,"pcap_cnt":167,"event_type":"fileinfo","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.5.104","dest_port":49192,"proto":"TCP","http":{"hostname":"nn0blesapport605011234567.tk","url":"\/landinf\/err.mp3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"audio\/mpeg","http_refer":"http:\/\/nn0blesapport605011234567.tk\/?number=44-163-074-0014","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68632},"app_proto":"http","fileinfo":{"filename":"\/landinf\/err.mp3","gaps":false,"state":"TRUNCATED","stored":false,"size":68632,"tx_id":2}}
{"timestamp":"2018-01-05T23:38:21.328995+0000","flow_id":1449472213309176,"event_type":"http","src_ip":"10.1.5.104","src_port":49192,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"nn0blesapport605011234567.tk","url":"\/landinf\/err.mp3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"audio\/mpeg"}}
{"timestamp":"2018-01-05T23:38:21.328995+0000","flow_id":2074347003734878,"event_type":"fileinfo","src_ip":"193.41.214.6","src_port":80,"dest_ip":"10.1.5.104","dest_port":49167,"proto":"TCP","http":{"hostname":"sunrisegolf.club","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7635},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":44568,"tx_id":0}}


unified2.alert.1542805397 - (3117 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
4ZPa§Ê¶‹
h
Òî5nZPaZPa§ÊRÓøJ»#®H¶EDè€ýV
h
Òî50Ü´£–nn0blecalling305011tk4ZPaä_¶Š

h̛À'PƒZPaZPaä_gEYÁ–
h̛À'PP‡GET /index/?2101505838590 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://sunrisegolf.club/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: nn0blecalling305011.tk

4ZPañ¶‹
h
çß5tZPaZPañXÓøJ»#®H¶EJð€ýH
h
çß56;«Ünn0blesapport605011234567tk4ZPb
綊

h¹ŸS0À(PŒZPbZPb
çpEb^
h¹ŸS0À(PPõ™GET /?number=44-163-074-0014 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://sunrisegolf.club/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: nn0blesapport605011234567.tk

4ZPc
M¶Š

h¹ŸS0À(P¹ZPcZPc
ME1
h¹ŸS0À(PP™ÆGET /landinf/defender.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://nn0blesapport605011234567.tk/?number=44-163-074-0014
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: nn0blesapport605011234567.tk
Connection: Keep-Alive

4ZPkáöÜB̛
hPÀ'âZPkZPkáöÆE¸À7̛
hPÀ'PÕkHTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.2
Date: Fri, 05 Jan 2018 23:38:08 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=3
Expires: Thu, 21 Jul 1977 07:30:00 GMT
Last-Modified: Fri, 05 Jan 2018 23:38:08 GMT
Cache-Control: max-age=0
Pragma: no-cache
Set-Cookie: 00831=%7B%22streams%22%3A%7B%221407%22%3A1515195488%7D%2C%22campaigns%22%3A%7B%22248%22%3A1515195488%7D%2C%22time%22%3A1515195488%7D; expires=Mon, 05-Feb-2018 23:38:08 GMT; Max-Age=2678400; path=/; domain=.nn0blecalling305011.tk
Location: http://nn0blesapport605011234567.tk/?number=44-163-074-0014

0

4ZPlÜ¿¶Š

h¹ŸS0À(PÅZPlZPlÜ¿©E›%
h¹ŸS0À(PPrGET /landinf/err.mp3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept: */*
Referer: http://nn0blesapport605011234567.tk/?number=44-163-074-0014
GetContentFeatures.DLNA.ORG: 1
Pragma: getIfoFileURI.dlna.org
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Host: nn0blesapport605011234567.tk
Connection: Keep-Alive


keyword_perf.log - (11130 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/21/2018 -- 13:03:19
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1777008         559             559             30463           3178.00         3178.00         0.00           
  content          4400436         715             412             283544          6154.00         4639.00         8213.00        
  pcre             854222          123             56              152228          6944.00         5537.00         8121.00        
  byte_test        135336          38              17              16687           3561.00         4296.00         2966.00        
  isdataat         18255           6               0               3632            3042.00         0.00            3042.00        
  flowbits         4095            1               1               4095            4095.00         4095.00         0.00           
  urilen           367480          104             30              26817           3533.00         3396.00         3588.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1777008         559             559             30463           3178.00         3178.00         0.00           
  flowbits         4095            1               1               4095            4095.00         4095.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          567609          117             41              90180           4851.00         4111.00         5250.00        
  pcre             16432           3               0               5868            5477.00         0.00            5477.00        
  byte_test        135336          38              17              16687           3561.00         4296.00         2966.00        
  isdataat         12782           4               0               3632            3195.00         0.00            3195.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          382309          101             59              14874           3785.00         3767.00         3809.00        
  pcre             444934          51              7               152228          8724.00         6011.00         9155.00        
  isdataat         5473            2               0               2793            2736.00         0.00            2736.00        
  urilen           367480          104             30              26817           3533.00         3396.00         3588.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14782           4               0               4172            3695.00         0.00            3695.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1575967         32              4               283544          49248.00        55010.00        48425.00       
  pcre             13029           2               0               8218            6514.00         0.00            6514.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1335098         312             226             39361           4279.00         4443.00         3847.00        
  pcre             330959          55              37              19872           6017.00         5922.00         6211.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          179964          50              20              5405            3599.00         4004.00         3329.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27338           8               8               3711            3417.00         3417.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          90244           26              9               13722           3470.00         3222.00         3602.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          146995          42              30              4684            3499.00         3589.00         3275.00        
  pcre             48868           12              12              5062            4072.00         4072.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42524           12              12              5106            3543.00         3543.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          37606           11              3               4402            3418.00         3288.00         3467.00        


suricata-report-2018-11-21-T-13-03-19-11212018.1302-2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap.txt - (17957 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9b967977c969634423f830705d97215256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11212018.1302-2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap -vvv -k none
elapsedtime:24.921321
stderr:
stdout:
21/11/2018 -- 13:02:54 - <Info> - Configuration node 'rule-files' redefined.
21/11/2018 -- 13:02:54 - <Notice> - This is Suricata version 4.0.0 RELEASE
21/11/2018 -- 13:02:54 - <Info> - CPUs/cores online: 1
21/11/2018 -- 13:02:54 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34291 and 'request-body-inspect-window' set to 16741 after randomization.
21/11/2018 -- 13:02:54 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33608 and 'response-body-inspect-window' set to 16567 after randomization.
21/11/2018 -- 13:02:54 - <Config> - DNS request flood protection level: 500
21/11/2018 -- 13:02:54 - <Config> - DNS per flow memcap (state-memcap): 524288
21/11/2018 -- 13:02:54 - <Config> - DNS global memcap: 16777216
21/11/2018 -- 13:02:54 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/11/2018 -- 13:02:54 - <Config> - preallocated 1000 hosts of size 136
21/11/2018 -- 13:02:54 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
21/11/2018 -- 13:02:54 - <Config> - using magic-file /usr/share/file/magic
21/11/2018 -- 13:02:54 - <Config> - Core dump size is unlimited.
21/11/2018 -- 13:02:54 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/11/2018 -- 13:02:54 - <Config> - preallocated 1000 defrag trackers of size 168
21/11/2018 -- 13:02:54 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
21/11/2018 -- 13:02:54 - <Config> - stream "prealloc-sessions": 2048 (per thread)
21/11/2018 -- 13:02:54 - <Config> - stream "memcap": 33554432
21/11/2018 -- 13:02:54 - <Config> - stream "midstream" session pickups: disabled
21/11/2018 -- 13:02:54 - <Config> - stream "async-oneside": disabled
21/11/2018 -- 13:02:54 - <Config> - stream "checksum-validation": disabled
21/11/2018 -- 13:02:54 - <Config> - stream."inline": disabled
21/11/2018 -- 13:02:54 - <Config> - stream "bypass": disabled
21/11/2018 -- 13:02:54 - <Config> - stream "max-synack-queued": 5
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly "memcap": 134217728
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly "depth": 0
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly "toserver-chunk-size": 2596
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly "toclient-chunk-size": 2558
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly.raw: enabled
21/11/2018 -- 13:02:54 - <Config> - stream.reassembly "segment-prealloc": 2048
21/11/2018 -- 13:02:54 - <Config> - Delayed detect disabled
21/11/2018 -- 13:02:54 - <Config> - pattern matchers: MPM: ac, SPM: bm
21/11/2018 -- 13:02:54 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
21/11/2018 -- 13:02:54 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
21/11/2018 -- 13:02:54 - <Config> - prefilter engines: MPM
21/11/2018 -- 13:02:54 - <Config> - IP reputation disabled
21/11/2018 -- 13:02:54 - <Perf> - Registered 148 keyword profiling counters.
21/11/2018 -- 13:02:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
21/11/2018 -- 13:02:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
21/11/2018 -- 13:02:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
21/11/2018 -- 13:02:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
21/11/2018 -- 13:02:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
21/11/2018 -- 13:02:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
21/11/2018 -- 13:02:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
21/11/2018 -- 13:02:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
21/11/2018 -- 13:03:00 - <Config> - No rules loaded from ET-icmp.rules.
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
21/11/2018 -- 13:03:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
21/11/2018 -- 13:03:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
21/11/2018 -- 13:03:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
21/11/2018 -- 13:03:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
21/11/2018 -- 13:03:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
21/11/2018 -- 13:03:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
21/11/2018 -- 13:03:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
21/11/2018 -- 13:03:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
21/11/2018 -- 13:03:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
21/11/2018 -- 13:03:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
21/11/2018 -- 13:03:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
21/11/2018 -- 13:03:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
21/11/2018 -- 13:03:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
21/11/2018 -- 13:03:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
21/11/2018 -- 13:03:08 - <Config> - No rules loaded from local.rules.
21/11/2018 -- 13:03:08 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
21/11/2018 -- 13:03:08 - <Info> - Threshold config parsed: 0 rule(s) found
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tcp-packet
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tcp-stream
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for udp-packet
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for other-ip
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_uri
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_request_line
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_client_body
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_response_line
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_header
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_header
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_header_names
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_header_names
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_accept
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_accept_enc
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_accept_lang
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_referer
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_connection
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_content_len
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_content_len
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_content_type
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_content_type
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_protocol
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_protocol
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_start
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_start
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_raw_header
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_raw_header
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_method
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_cookie
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_cookie
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_raw_uri
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_user_agent
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_host
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_raw_host
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_stat_msg
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_stat_code
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for dns_query
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tls_sni
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tls_cert_issuer
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tls_cert_subject
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for tls_cert_serial
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for dce_stub_data
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for dce_stub_data
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for ssh_protocol
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for ssh_protocol
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for ssh_software
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for ssh_software
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for file_data
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for file_data
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_request_line
21/11/2018 -- 13:03:09 - <Perf> - using shared mpm ctx' for http_response_line
21/11/2018 -- 13:03:09 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
21/11/2018 -- 13:03:09 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
21/11/2018 -- 13:03:09 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
21/11/2018 -- 13:03:09 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
21/11/2018 -- 13:03:09 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
21/11/2018 -- 13:03:09 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
21/11/2018 -- 13:03:09 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
21/11/2018 -- 13:03:09 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
21/11/2018 -- 13:03:15 - <Perf> - Unique rule groups: 104
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toserver TCP packet": 35
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toclient TCP packet": 17
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toserver TCP stream": 33
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toclient TCP stream": 19
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toserver UDP packet": 27
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "toclient UDP packet": 17
21/11/2018 -- 13:03:15 - <Perf> - Builtin MPM "other IP packet": 3
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_uri": 14
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_request_line": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_client_body": 6
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_response_line": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_header": 10
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_header": 6
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_header_names": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_accept": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_referer": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_content_len": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_content_type": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_content_type": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_protocol": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_start": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_method": 5
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_cookie": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_cookie": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver http_host": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver dns_query": 4
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver tls_sni": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toserver file_data": 1
21/11/2018 -- 13:03:15 - <Perf> - AppLayer MPM "toclient file_data": 7
21/11/2018 -- 13:03:17 - <Perf> - Registered 39590 rule profiling counters.
21/11/2018 -- 13:03:17 - <Info> - fast output device (regular) initialized: alert
21/11/2018 -- 13:03:17 - <Info> - eve-log output device (regular) initialized: eve.json
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'alert'
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'http'
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'dns'
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'tls'
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'files'
21/11/2018 -- 13:03:17 - <Config> - enabling 'eve-log' module 'ssh'
21/11/2018 -- 13:03:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
21/11/2018 -- 13:03:17 - <Info> - stats output device (regular) initialized: stats.log
21/11/2018 -- 13:03:1

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2018-11-21-T-13-03-19-11212018.1302-2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap.txt - (1349 bytes) - download
1
2
3
4
5
6
7
01/05/2018-23:38:09.108490  [**] [1:2012811:2] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.5.104:53998 -> 10.1.5.1:53
01/05/2018-23:38:09.844895  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.5.104:49191 -> 204.155.28.5:80
01/05/2018-23:38:09.848153  [**] [1:2012811:2] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.5.104:59359 -> 10.1.5.1:53
01/05/2018-23:38:10.911119  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.5.104:49192 -> 185.159.83.48:80
01/05/2018-23:38:11.462157  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.5.104:49192 -> 185.159.83.48:80
01/05/2018-23:38:19.844278  [**] [1:2022466:5] ET CURRENT_EVENTS Possible Keitaro TDS Redirect [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 204.155.28.5:80 -> 10.1.5.104:49191
01/05/2018-23:38:20.253119  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.5.104:49192 -> 185.159.83.48:80


IDSDeathBlossom.py.log - (1194 bytes) - download
1
2
3
4
5
6
7
8
2018-11-21 13:02:53,568 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-21 13:02:54,341 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-21 13:02:54,341 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-11-21 13:02:54,341 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-21 13:02:54,342 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-21 13:02:54,342 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9b967977c969634423f830705d97215256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11212018.1302-2018-01-05-fake-AV-page-after-viewing-sunrisegolf.club.pcap -vvv -k none
2018-11-21 13:03:19,265 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-21 13:03:19,265 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 25.7096209526