Filename: 2019-01-24-Emotet-infection-with-spamming.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 25.026829958 seconds
Hash: 9c1a8d4f27d7c5d6ea7eef98301843dc
Uploaded: 1548677752

Logfiles


packet_stats.log - (15161 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         16000           340401     2963567795    2009872415      32158.0b   88.51
 IPv4      17          1442         17035699     2960764115    2554691092       3683.9b   10.14
 IPv4     256           561           340401     2959984014     852749620        478.4b    1.32
 IPv6       0             3       1844165264     2504132439    2101494883          6.3b    0.02
 IPv6     256             3       1844165264     2504132439    2101494883          6.3b    0.02
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         15628            65916       19350681        226871          3.5b   81.74
TMM_FLOWWORKER              IPv4      17          1442           212642        9961592        453952        654.6m   15.09
TMM_RECEIVEPCAPFILE         IPv4       6         15306             2537       17070094          4395         67.3m    1.55
TMM_RECEIVEPCAPFILE         IPv4      17          1442             2538         135340          3027          4.4m    0.10
TMM_DECODEPCAPFILE          IPv4       6         15306             2650        4436268          3970         60.8m    1.40
TMM_DECODEPCAPFILE          IPv4      17          1442             2667          61731          3372          4.9m    0.11
TMM_FLOWWORKER              IPv6       0             3            67831          83452         74506        223.5k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         15306             2763          91873          3639         55.7m  1.47  
flow                    IPv4      17          1442             2870          82548          4402          6.3m  0.17  
stream                  IPv4       6         15628             2584       10769649         14856        232.2m  6.12  
app-layer               IPv4      17          1442             8460          89212         15178         21.9m  0.58  
detect                  IPv4       6         16000            44323       19316864        183023          2.9b  77.18 
detect                  IPv4      17          1442           136143        1774927        346995        500.4m  13.19 
tcp-prune               IPv4       6         15628             2543         146087          3156         49.3m  1.30  
detect                  IPv6       0             3            61668          76234         68043        204.1k  0.01  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            58             3090          97884         19048          1.1m  10.97 
smtp                    IPv4       6            54             2652         386463         10338        558.3k  5.54  
tls                     IPv4       6           268             2626          36626          3594        963.3k  9.56  
dns                     IPv4      17          1441             3095          44105          5167          7.4m  73.92 
Proto detect            IPv4       6            19             3030           7565          4304         81.8k
Proto detect            IPv4      17          1030             2730          73318          4995          5.1m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             8            21283         103006         55928        447.4k  0.34  
LOGGER_UNIFIED2             IPv4       6             8            46928         387572        135369          1.1m  0.83  
LOGGER_JSON_ALERT           IPv4       6             8            40181         121460         73645        589.2k  0.45  
LOGGER_JSON_DNS             IPv4      17          1435            25572        9168106         70746        101.5m  77.52 
LOGGER_JSON_HTTP            IPv4       6            61            76005        1372247        135580          8.3m  6.32  
LOGGER_JSON_TLS             IPv4       6           202             2949         132318         67304         13.6m  10.38 
LOGGER_JSON_FILE            IPv4       6            49            53533         195319        106600          5.2m  3.99  
LOGGER_JSON_VARS            IPv6     256             3            67831          83452         74506        223.5k  0.17  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          6762             2558        6652992         22194       150.1m  21.62 
payload                           IPv4      17          1439             3925         231903         17171        24.7m  3.56  
stream                            IPv4       6          6762             2527        7660984         34852       235.7m  33.95 
http_uri                          IPv4       6            61             3439          15747          5580       340.4k  0.05  
http_request_line                 IPv4       6            61             3870          42326          7311       446.0k  0.06  
http_client_body                  IPv4       6            61             2856          15634          3583       218.6k  0.03  
http_header (request)             IPv4       6            61            16736         134866         69494         4.2m  0.61  
http_header (request trailer)     IPv4       6            61             2597           3308          2734       166.8k  0.02  
http_header_names (request)       IPv4       6            61             8342          45121         18430         1.1m  0.16  
http_accept (request)             IPv4       6            61             3100          24637          4275       260.8k  0.04  
http_referer (request)            IPv4       6            61             2831           4305          3284       200.3k  0.03  
http_content_len (request)        IPv4       6            61             2934           4619          3525       215.0k  0.03  
http_content_type (request)       IPv4       6            61             2917           4842          3492       213.0k  0.03  
http_protocol (request)           IPv4       6            61             3316           7012          4915       299.9k  0.04  
http_start (request)              IPv4       6            61            10317          64361         19899         1.2m  0.17  
http_raw_header (request)         IPv4       6            61             8990          52965         21241         1.3m  0.19  
http_method                       IPv4       6            61             4070          10064          5976       364.6k  0.05  
http_cookie (request)             IPv4       6            61             2991          48319         13443       820.0k  0.12  
http_raw_uri                      IPv4       6            61             2678           7686          3563       217.4k  0.03  
http_user_agent                   IPv4       6            61             3277          82936         40393         2.5m  0.35  
http_host                         IPv4       6            61             3324          57717          6787       414.0k  0.06  
dns_query                         IPv4      17           718             2853         252978          8185         5.9m  0.85  
tls_sni                           IPv4       6           435             2532          61031          3275         1.4m  0.21  
file_data (smtp)                  IPv4       6           596             2531          24529          2929         1.7m  0.25  
http_response_line                IPv4       6            49             3181          37158          9604       470.6k  0.07  
http_header (response)            IPv4       6            49             6727          71099         34262         1.7m  0.24  
http_header (response trailer)    IPv4       6            47             2595          74952          5946       279.5k  0.04  
http_content_type (response)      IPv4       6            49             3308          54181         10478       513.5k  0.07  
http_raw_header (response)        IPv4       6          2665             3463          40758          4423        11.8m  1.70  
http_cookie (response)            IPv4       6            49             2932           4712          3532       173.1k  0.02  
http_stat_code                    IPv4       6            49             2868          33005          4609       225.9k  0.03  
tls_cert_issuer                   IPv4       6           202             2809          45773          6589         1.3m  0.19  
tls_cert_subject                  IPv4       6           202             2665          45895          7300         1.5m  0.21  
tls_cert_serial                   IPv4       6           202             2647          41103          4983         1.0m  0.15  
file_data (http response)         IPv4       6          2618             2569       14585139         92118       241.2m  34.74 
Total                             IPv4                 23991                                         28932       694.1m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6          1283             3247         431805         39220         50.3m  1.22  
PROF_DETECT_IPONLY          IPv4      17          1418            11215         277486         44874         63.6m  1.54  
PROF_DETECT_RULES           IPv4       6         16000             2525       19251203         62967          1.0b  24.41 
PROF_DETECT_RULES           IPv4      17          1442             8375         918660        192239        277.2m  6.72  
PROF_DETECT_STATEFUL_START    IPv4       6          3093             5110       19218310         97398        301.3m  7.30  
PROF_DETECT_STATEFUL_START    IPv4      17            13            11374          62718         20005        260.1k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6         16000             2511         399992          6673        106.8m  2.59  
PROF_DETECT_STATEFUL_CONT    IPv4      17          1442             2787         110840          7169         10.3m  0.25  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         12433             2547        2224235          3158         39.3m  0.95  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17          1441             2571          51056          3071          4.4m  0.11  
PROF_DETECT_PREFILTER       IPv4       6         16000             7839       14867625         64841          1.0b  25.14 
PROF_DETECT_PREFILTER       IPv4      17          1442            24147         621615         51333         74.0m  1.79  
PROF_DETECT_PF_PAYLOAD      IPv4       6          6762            12997        7690153         65659        444.0m  10.76 
PROF_DETECT_PF_PAYLOAD      IPv4      17          1439             9110         237733         23075         33.2m  0.80  
PROF_DETECT_PF_TX           IPv4       6         12433             2547       14600208         28074        349.1m  8.46  
PROF_DETECT_PF_TX           IPv4      17           722             2643         259123         14068         10.2m  0.25  
PROF_DETECT_PF_SORT1        IPv4       6          4189             2525          63018          3401         14.3m  0.35  
PROF_DETECT_PF_SORT1        IPv4      17          1439             2823          67955          4397          6.3m  0.15  
PROF_DETECT_PF_SORT2        IPv4       6         16000             2516         391335          3079         49.3m  1.19  
PROF_DETECT_PF_SORT2        IPv4      17          1442             2648         226517          3526          5.1m  0.12  
PROF_DETECT_NONMPMLIST      IPv4       6         16000             2529        6558077          3541         56.7m  1.37  
PROF_DETECT_NONMPMLIST      IPv4      17          1442             2584          50262          3150          4.5m  0.11  
PROF_DETECT_ALERT           IPv4       6         16000             2522        6388735          3401         54.4m  1.32  
PROF_DETECT_ALERT           IPv4      17          1442             2525         129113          3186          4.6m  0.11  
PROF_DETECT_CLEANUP         IPv4       6         16000             2551         384233          3163         50.6m  1.23  
PROF_DETECT_CLEANUP         IPv4      17          1442             2540          91584          3553          5.1m  0.12  
PROF_DETECT_GETSGH          IPv4       6         16000             2522         106553          3643         58.3m  1.41  
PROF_DETECT_GETSGH          IPv4      17          1442             2745          52598          6177          8.9m  0.22  
PROF_DETECT_IPONLY          IPv6       0             3            13733          17220         15611         46.8k  0.00  
PROF_DETECT_RULES           IPv6       0             3             2540           3267          2795          8.4k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv6       0             3             2564           3216          2864          8.6k  0.00  
PROF_DETECT_PREFILTER       IPv6       0             3             8311           9956          8861         26.6k  0.00  
PROF_DETECT_PF_SORT2        IPv6       0             3             2553           3196          2850          8.6k  0.00  
PROF_DETECT_NONMPMLIST      IPv6       0             3             2763           3284          2957          8.9k  0.00  
PROF_DETECT_ALERT           IPv6       0             3             2576           3100          2830          8.5k  0.00  
PROF_DETECT_CLEANUP         IPv6       0             3             2573           3402          2858          8.6k  0.00  
PROF_DETECT_GETSGH          IPv6       0             3             2794           3586          3154          9.5k  0.00  


suricata-report-2019-01-28-T-12-16-17-01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap.txt - (17832 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9c1a8d4f27d7c5d6ea7eef98301843dc56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap -vvv -k none
elapsedtime:24.083279
stderr:
stdout:
28/1/2019 -- 12:15:52 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 12:15:52 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 12:15:52 - <Info> - CPUs/cores online: 1
28/1/2019 -- 12:15:52 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34007 and 'request-body-inspect-window' set to 17045 after randomization.
28/1/2019 -- 12:15:52 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33005 and 'response-body-inspect-window' set to 16499 after randomization.
28/1/2019 -- 12:15:52 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 12:15:52 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 12:15:52 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 12:15:52 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 12:15:52 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 12:15:52 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 12:15:52 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 12:15:52 - <Config> - Core dump size is unlimited.
28/1/2019 -- 12:15:52 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 12:15:52 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 12:15:52 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 12:15:53 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 12:15:53 - <Config> - stream "memcap": 33554432
28/1/2019 -- 12:15:53 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 12:15:53 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 12:15:53 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 12:15:53 - <Config> - stream."inline": disabled
28/1/2019 -- 12:15:53 - <Config> - stream "bypass": disabled
28/1/2019 -- 12:15:53 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly "toserver-chunk-size": 2549
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly "toclient-chunk-size": 2590
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 12:15:53 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 12:15:53 - <Config> - Delayed detect disabled
28/1/2019 -- 12:15:53 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 12:15:53 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 12:15:53 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 12:15:53 - <Config> - prefilter engines: MPM
28/1/2019 -- 12:15:53 - <Config> - IP reputation disabled
28/1/2019 -- 12:15:53 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 12:15:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 12:15:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 12:15:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 12:15:58 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 12:15:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 12:15:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 12:15:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 12:15:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 12:16:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 12:16:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 12:16:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 12:16:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 12:16:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 12:16:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 12:16:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 12:16:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 12:16:06 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 12:16:06 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 12:16:06 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:16:07 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:16:07 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 12:16:07 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 12:16:07 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 12:16:07 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 12:16:07 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 12:16:07 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 12:16:07 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 12:16:07 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 12:16:12 - <Perf> - Unique rule groups: 104
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 12:16:12 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 12:16:12 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 12:16:14 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 12:16:14 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 12:16:14 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 12:16:14 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 12:16:14 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 12:16:14 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 12:16:14 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 12:16:14 - <Info> - reading pcap file /var/pcap/01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap
28/1/2019 -- 12:16:14 - <Co

This file has been truncated. Go here to download in full.


stats.log - (3927 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
------------------------------------------------------------------------------------
Date: 1/28/2019 -- 12:16:16 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 16748
decoder.bytes                              | Total                     | 5487582
decoder.ipv4                               | Total                     | 16748
decoder.ipv6                               | Total                     | 3
decoder.ethernet                           | Total                     | 16748
decoder.tcp                                | Total                     | 15306
decoder.udp                                | Total                     | 1442
decoder.teredo                             | Total                     | 3
decoder.avg_pkt_size                       | Total                     | 327
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 925
flow.udp                                   | Total                     | 710
tcp.sessions                               | Total                     | 925
tcp.pseudo                                 | Total                     | 372
tcp.syn                                    | Total                     | 2217
tcp.synack                                 | Total                     | 297
tcp.rst                                    | Total                     | 351
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 4
detect.alert                               | Total                     | 10
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 4
detect.fnonmpm_list                        | Total                     | 2
detect.match_list                          | Total                     | 5
app_layer.flow.http                        | Total                     | 39
app_layer.tx.http                          | Total                     | 61
app_layer.flow.smtp                        | Total                     | 219
app_layer.tx.smtp                          | Total                     | 219
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 709
app_layer.tx.dns_udp                       | Total                     | 718
app_layer.flow.failed_udp                  | Total                     | 1
flow_mgr.closed_pruned                     | Total                     | 19
flow_mgr.new_pruned                        | Total                     | 14
flow_mgr.est_pruned                        | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 15
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 10
flow_mgr.flows_timeout_inuse               | Total                     | 10
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65521
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7099360


unified2.alert.1548677774 - (95491 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
4\Iæ1…Õ1QÂô
ePÀZ\Iæ1\Iæ1…>E0lQÂô
ePÀPxAe="Colorful List Accent 2"/><w:lsdException w:name="Colorful Grid Accent 2"/><w:lsdException w:name="Light Shading Accent 3"/><w:lsdException w:name="Light List Accent 3"/><w:lsdException w:name="Light Grid Accent 3"/><w:lsdException w:name="Medium Shading 1 Accent 3"/><w:lsdException w:name="Medium Shading 2 Accent 3"/><w:lsdException w:name="Medium List 1 Accent 3"/><w:lsdException w:name="Medium List 2 Accent 3"/><w:lsdException w:name="Medium Grid 1 Accent 3"/><w:lsdException w:name="Medium Grid 2 Accent 3"/><w:lsdException w:name="Medium Grid 3 Accent 3"/><w:lsdException w:name="Dark List Accent 3"/><w:lsdException w:name="Colorful Shading Accent 3"/><w:lsdException w:name="Colorful List Accent 3"/><w:lsdException w:name="Colorful Grid Accent 3"/><w:lsdException w:name="Light Shading Accent 4"/><w:lsdException w:name="Light List Accent 4"/><w:lsdException w:name="Light Grid Accent 4"/><w:lsdException w:name="Medium Shading 1 Accent 4"/><w:lsdException w:name="Medium Shading 2 Accent 4"/><w:lsdException w:name="Medium List 1 Accent 4"/><w:lsdException w:name="Medium List 2 Accent 4"/><w:lsdException w:name="Medium Grid 1 Accent 4"/><w:lsdException w:name="Medium Grid 2 Accent 4"/><w:lsdException w:name="Medium Grid 3 Accent 4"/><w:lsdException w:name="Dark List AcZ\Iæ1\Iæ1…>E0lQÂô
ePÀP2Öcent 4"/><w:lsdException w:name="Colorful Shading Accent 4"/><w:lsdException w:name="Colorful List Accent 4"/><w:lsdException w:name="Colorful Grid Accent 4"/><w:lsdException w:name="Light Shading Accent 5"/><w:lsdException w:name="Light List Accent 5"/><w:lsdException w:name="Light Grid Accent 5"/><w:lsdException w:name="Medium Shading 1 Accent 5"/><w:lsdException w:name="Medium Shading 2 Accent 5"/><w:lsdException w:name="Medium List 1 Accent 5"/><w:lsdException w:name="Medium List 2 Accent 5"/><w:lsdException w:name="Medium Grid 1 Accent 5"/><w:lsdException w:name="Medium Grid 2 Accent 5"/><w:lsdException w:name="Medium Grid 3 Accent 5"/><w:lsdException w:name="Dark List Accent 5"/><w:lsdException w:name="Colorful Shading Accent 5"/><w:lsdException w:name="Colorful List Accent 5"/><w:lsdException w:name="Colorful Grid Accent 5"/><w:lsdException w:name="Light Shading Accent 6"/><w:lsdException w:name="Light List Accent 6"/><w:lsdException w:name="Light Grid Accent 6"/><w:lsdException w:name="Medium Shading 1 Accent 6"/><w:lsdException w:name="Medium Shading 2 Accent 6"/><w:lsdException w:name="Medium List 1 Accent 6"/><w:lsdException w:name="Medium List 2 Accent 6"/><w:lsdException w:name="Medium Grid 1 Accent 6"/><w:lsdException w:name="Medium Grid 2 Accent 6"/><w:Z\Iæ1\Iæ1…>E0lQÂô
ePÀP£ÄlsdException w:name="Medium Grid 3 Accent 6"/><w:lsdException w:name="Dark List Accent 6"/><w:lsdException w:name="Colorful Shading Accent 6"/><w:lsdException w:name="Colorful List Accent 6"/><w:lsdException w:name="Colorful Grid Accent 6"/><w:lsdException w:name="Subtle Emphasis"/><w:lsdException w:name="Intense Emphasis"/><w:lsdException w:name="Subtle Reference"/><w:lsdException w:name="Intense Reference"/><w:lsdException w:name="Book Title"/><w:lsdException w:name="Bibliography"/><w:lsdException w:name="TOC Heading"/><w:lsdException w:name="Plain Table 1"/><w:lsdException w:name="Plain Table 2"/><w:lsdException w:name="Plain Table 3"/><w:lsdException w:name="Plain Table 4"/><w:lsdException w:name="Plain Table 5"/><w:lsdException w:name="Grid Table Light"/><w:lsdException w:name="Grid Table 1 Light"/><w:lsdException w:name="Grid Table 2"/><w:lsdException w:name="Grid Table 3"/><w:lsdException w:name="Grid Table 4"/><w:lsdException w:name="Grid Table 5 Dark"/><w:lsdException w:name="Grid Table 6 Colorful"/><w:lsdException w:name="Grid Table 7 Colorful"/><w:lsdException w:name="Grid Table 1 Light Accent 1"/><w:lsdException w:name="Grid Table 2 Accent 1"/><w:lsdException w:name="Grid Table 3 Accent 1"/><w:lsdException w:name="Grid Table 4 Accent 1"/><w:lsdException w:*\Iæ1\Iæ1…E‚œQÂô
ePÀPŸóname="Grid Table 5 Dark Accent 1"/><w:lsdException w:name="Grid Table 6 Colorful Accent 1"/><w:lsdException w:name="Grid Table 7 Colorful Accent 1"/><w:lsdException w:name="Grid Table 1 Light Accent 2"/><w:lsdException w:name="Grid Table 2 Accent 2"/><w:lsdException w:name="Grid Table 3 Accent 2"/><w:lsdException w:name="Grid Table 4 Accent 2"/><w:lsdException w:name="Grid Table 5 Dark Accent 2"/><w:lsdException w:name="Grid Table 6 Colorful Accent 2"/><w:lsdExcepti
Z\Iæ1\Iæ1…>E0lQÂô
ePÀPéù2000
on w:name="Grid Table 7 Colorful Accent 2"/><w:lsdException w:name="Grid Table 1 Light Accent 3"/><w:lsdException w:name="Grid Table 2 Accent 3"/><w:lsdException w:name="Grid Table 3 Accent 3"/><w:lsdException w:name="Grid Table 4 Accent 3"/><w:lsdException w:name="Grid Table 5 Dark Accent 3"/><w:lsdException w:name="Grid Table 6 Colorful Accent 3"/><w:lsdException w:name="Grid Table 7 Colorful Accent 3"/><w:lsdException w:name="Grid Table 1 Light Accent 4"/><w:lsdException w:name="Grid Table 2 Accent 4"/><w:lsdException w:name="Grid Table 3 Accent 4"/><w:lsdException w:name="Grid Table 4 Accent 4"/><w:lsdException w:name="Grid Table 5 Dark Accent 4"/><w:lsdException w:name="Grid Table 6 Colorful Accent 4"/><w:lsdException w:name="Grid Table 7 Colorful Accent 4"/><w:lsdException w:name="Grid Table 1 Light Accent 5"/><w:lsdException w:name="Grid Table 2 Accent 5"/><w:lsdException w:name="Grid Table 3 Accent 5"/><w:lsdException w:name="Grid Table 4 Accent 5"/><w:lsdException w:name="Grid Table 5 Dark Accent 5"/><w:lsdException w:name="Grid Table 6 Colorful Accent 5"/><w:lsdException w:name="Grid Table 7 Colorful Accent 5"/><w:lsdException w:name="Grid Table 1 Light Accent 6"/><w:lsdException w:name="Grid Table 2 Accent 6"/><w:lsdException w:name="Grid Table 3 AcceZ\Iæ1\Iæ1…>E0lQÂô
ePÀPT%nt 6"/><w:lsdException w:name="Grid Table 4 Accent 6"/><w:lsdException w:name="Grid Table 5 Dark Accent 6"/><w:lsdException w:name="Grid Table 6 Colorful Accent 6"/><w:lsdException w:name="Grid Table 7 Colorful Accent 6"/><w:lsdException w:name="List Table 1 Light"/><w:lsdException w:name="List Table 2"/><w:lsdException w:name="List Table 3"/><w:lsdException w:name="List Table 4"/><w:lsdException w:name="List Table 5 Dark"/><w:lsdException w:name="List Table 6 Colorful"/><w:lsdException w:name="List Table 7 Colorful"/><w:lsdException w:name="List Table 1 Light Accent 1"/><w:lsdException w:name="List Table 2 Accent 1"/><w:lsdException w:name="List Table 3 Accent 1"/><w:lsdException w:name="List Table 4 Accent 1"/><w:lsdException w:name="List Table 5 Dark Accent 1"/><w:lsdException w:name="List Table 6 Colorful Accent 1"/><w:lsdException w:name="List Table 7 Colorful Accent 1"/><w:lsdException w:name="List Table 1 Light Accent 2"/><w:lsdException w:name="List Table 2 Accent 2"/><w:lsdException w:name="List Table 3 Accent 2"/><w:lsdException w:name="List Table 4 Accent 2"/><w:lsdException w:name="List Table 5 Dark Accent 2"/><w:lsdException w:name="List Table 6 Colorful Accent 2"/><w:lsdException w:name="List Table 7 Colorful Accent 2"/><w:lsdException w:name="List TableZ\Iæ1\Iæ1…>E0lQÂô
ePÀPk¬ 1 Light Accent 3"/><w:lsdException w:name="List Table 2 Accent 3"/><w:lsdException w:name="List Table 3 Accent 3"/><w:lsdException w:name="List Table 4 Accent 3"/><w:lsdException w:name="List Table 5 Dark Accent 3"/><w:lsdException w:name="List Table 6 Colorful Accent 3"/><w:lsdException w:name="List Table 7 Colorful Accent 3"/><w:lsdException w:name="List Table 1 Light Accent 4"/><w:lsdException w:name="List Table 2 Accent 4"/><w:lsdException w:name="List Table 3 Accent 4"/><w:lsdException w:name="List Table 4 Accent 4"/><w:lsdException w:name="List Table 5 Dark Accent 4"/><w:lsdException w:name="List Table 6 Colorful Accent 4"/><w:lsdException w:name="List Table 7 Colorful Accent 4"/><w:lsdException w:name="List Table 1 Light Accent 5"/><w:lsdException w:name="List Table 2 Accent 5"/><w:lsdException w:name="List Table 3 Accent 5"/><w:lsdException w:name="List Table 4 Accent 5"/><w:lsdException w:name="List Table 5 Dark Accent 5"/><w:lsdException w:name="List Table 6 Colorful Accent 5"/><w:lsdException w:name="List Table 7 Colorful Accent 5"/><w:lsdException w:name="List Table 1 Light Accent 6"/><w:lsdException w:name="List Table 2 Accent 6"/><w:lsdException w:name="List Table 3 Accent 6"/><w:lsdException w:name="List Table 4 Accent 6"/><w:lsdException w:name="List Z\Iæ1\Iæ1…>E0lQÂô
ePÀP=¡Table 5 Dark Accent 6"/><w:lsdException w:name="List Table 6 Colorful Accent 6"/><w:lsdException w:name="List Table 7 Colorful Accent 6"/><w:lsdException w:name="Mention"/><w:lsdException w:name="Smart Hyperlink"/><w:lsdException w:name="Hashtag"/><w:lsdException w:name="Unresolved Mention"/></w:latentStyles><w:style w:type="paragraph" w:default="on" w:styleId="Normal"><w:name w:val="Normal"/><w:pPr><w:spacing w:after="160" w:line="259" w:line-rule="auto"/></w:pPr><w:rPr><wx:font wx:val="Calibri"/><w:sz w:val="22"/><w:sz-cs w:val="22"/><w:lang w:val="EN-US" w:fareast="EN-US" w:bidi="AR-SA"/></w:rPr></w:style><w:style w:type="character" w:default="on" w:styleId="DefaultParagraphFont"><w:name w:val="Default Paragraph Font"/></w:style><w:style w:type="table" w:default="on" w:styleId="TableNormal"><w:name w:val="Normal Table"/><wx:uiName wx:val="Table Normal"/><w:rPr><wx:font wx:val="Calibri"/><w:lang w:val="EN-US" w:fareast="EN-US" w:bidi="AR-SA"/></w:rPr><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="list" w:default="on" w:styleId="NoList"><w:name w:val="No List"/></w:style><w:style w:tyZ\Iæ1\Iæ1…>E0lQÂô
ePÀP
gpe="paragraph" w:styleId="BalloonText"><w:name w:val="Balloon Text"/><w:basedOn w:val="Normal"/><w:link w:val="BalloonTextChar"/><w:rsid w:val="005A24B1"/><w:pPr><w:spacing w:after="0" w:line="240" w:line-rule="auto"/></w:pPr><w:rPr><w:rFonts w:ascii="Tahoma" w:h-ansi="Tahoma" w:cs="Tahoma"/><wx:font wx:val="Tahoma"/><w:sz w:val="16"/><w:sz-cs w:val="16"/></w:rPr></w:style><w:style w:type="character" w:styleId="BalloonTextChar"><w:name w:val="Balloon Text Char"/><w:link w:val="BalloonText"/><w:rsid w:val="005A24B1"/><w:rPr><w:rFonts w:ascii="Tahoma" w:h-ansi="Tahoma" w:cs="Tahoma"/><w:sz w:val="16"/><w:sz-cs w:val="16"/></w:rPr></w:style></w:styles><w:docSuppData><w:binData w:name="zszid" xml:space="preserve">QWN0aXZlTWltZQAAAfAEAAAA/////wAAB/DSrgAABAAAAAQAAAAAAAAAAAAAAABqAQB4nOx9DXBc
1ZXm7f8nWTbCGCMbY9rynzAtuf/VMsa0fi0b/3Rsx1EYhUiWZNqObDWSDIoBb2O8RGG9pIshHhXD
sBrCUFq2QxTCsL0sRfUQitIyFNPDeikt5SEKQzEaimE1FMVoWAJ77nnv3fvZMQmQ2Z1K1bbrtk6f
e+73vnvuuefe+/rHpb+6dOZPf7r8l+KCxxbhEp9+Via8oHNScdgvKvXrTz/77DNbPUjls///+L15
/IqKzxpDN/31UJFjblDJUCmjUk7lCJUKKgupLKJyiRkC4lIqi6lcRmUJlcupLKVyBZUqKsuoLKdy
JZUVVK6ispLK1VT8VFZRqaaymsoaKmuprKOynkoNlWuobKByLZUAlVoqdVQ2UglSCVEJU4lQiVKJ
UYlTqaeSoNJAZROV66hspnI9x7YQN1BJUmmk0kSlmUoLlVYqbVS2Ummnso3Kdio3UtlBZSeVXVR2
U0lR+RqVPVT2UtlH5etU9lPZ\Iæ1\Iæ1…>E0lQÂô
ePÀP—5BpUOKt+kchOVP6DSSeVbVG6m8m0qXVS6qRyg0kOll0oflYNUbqGS
pnKIymEq36HSb43TUfo7QOVWKpNUfkpFjuMw/T1G5TYqt1MZofJdKsep3EHlTip3UTlB5d9QyTL3
Afo3TGPRKo7S30Fu8cUfSyli7Fha8Fts/X+5986PfnbW4SI5uczU7SfvN36pK57/MITDYV/f83lG
d5nXta+PVb3k4cHf6fpOB86nL9pus8v8e5iuf5xH/Ks9yun6Mg/LuftFry/n8N1uU5bOkO1dFoY9
/2VOkDnAnv9ybOX8l/H3LzX/Jda/xPyXOP+357+8xg7rL85/+XqP9VeWr1vyhfNf6n7b/Lcx/l8+
HImfZR088g4R3OB05spEZom33SVOOkXv2243BcIKkRocONzXM+z5mhySpHOJ17nk+h87y33OfscS
w7u4zLk4u/sHNTcvFRXO7Ys3O8uXCsfg0HBv5UB/3xbnsiFKKzTPBih/9aUo+NJi7c3CtUF0br0j
GAyGg5PRSLBWGG53syh3ORc5FgeD0fhdq0W4Lrg6uLp5k+j8xqGjvQO3D4nOoe8ODfcdibjDna6+
cN1w/wGxeveOVn/jseHswJHu4UMDR0WXSzjvad01MHiku99DQrZ5kBav7q9l2xYJf/bSsqxjQ6Cz
2bW43Ls1e8QQjfes2n3w4KGeU7fsbhEHszQbe07e8ogne/WDJ1dtvSPc0iYSLcFoc22sSbQ11oaC
oabaXFNLayx7S2Njtm95NOsJj96SffaWwW5xxN92qL9vqDPZPHDkyMBRt3enONQzODA0cJDS6950
92Bfb6fY3da2rbk1FBedO/furmvZscO7+nuV9+z0h+J1QcO/+8Ddf+vfcejA5GD34Heza7Ni6ckR
Y+fetmLj0BaxqDHr3kkLTduppqE1IpKkaevsbYmKWLi1NVTbGmxJtDmCjbUJ4a4VwXA8mGiOtqSC
TU1RI3j7wt626Z3h4I71TVf5i5lX1s1upBlRHSqKlpPOO30nT1Q4mk8Gg3etDl7VdHJ1sSIrHokF
xZ8tzJZ9rygaq2KReFMy0thYX0vTo9YdbRbpRDQWrE021cfa6puK8Yi7pXE0/vWhvkEapMaWndt2
bTshQp2NmUxL97Do7twx0NPd3yn29R3JdO5vav05Obm+rm+k1+j94WZXsjorflnXuvAHM2J55b+t
c3ad3rlkwdONs5c0/a1LXLbqBceNf79M3P3W4eFkpv/2rZSNFh5uLZYyxfztYvnZ\Iæ1\Iæ1…>E0lQÂô
ePÀP
r3vOHW094VMkW1
NzlCf3Hy7/KUyVZWO+52Php4dMH9i6qr3dc+KhpXL8wcO3z4VvpToiXysF/cumZhk2v96oVbXRsX
/vk9Gxf+sNm7asNCkROHDx0/aGwVxoxTpuY3jotDy9+67JfO8LvOgYo9fzq5bKzlR8tqahZWOg7w
OuJYSn/mZDKh656lvzucZiLeSq//2KWT7I1/P9Yia6Q8SuUZKTOEnbbNCSm+0qNSmClcpm+f0Ftw
h8OwXsnNgPHbYMzL72xFMvazSfYXAsn+az7k6uAUe1NSli7eW6mkJabkVJLN3ikeolXjDsry9VSi
tFKEqQRpVWmkVyFaAWrpbz3tJttY10brR5ikJtLGSBukuhbStJAcovXlLsKiDEGaRqpr4FJLNjFq
0cpYraSJMkKY7MxaiRClV63UNsq28op3CduvDofc+Tmzn34W5KG1+urQwWH7QMpyR
2000
ZWrpvNuvXZ0
WPbBi9pXsL18XaVG3SkuxLbtL+b74Ofopb3jguv95lE0r/mL3xaYv+nx6cv2Jc+Pdisczk2KxuHh
wUMHjg2LPv/+pm/v6j5CwvX+aprqlQerF5aXTzd1Dzmc/cE7WutboxQT8WBtYzREwRCtj7TVNlIU
hGuborEIDX9LuCUSStC4tyXCjcEGGvDa+lhTa20029oQrW0KJ2i5bAlHE61t0VhlU33kroVTW/sH
jAPd/Y5792a6exodA23d/UN9Ffc1Zwf7uoe7D/RffjUtsH29fT393d8X3m294q/2DR5b2FRsHckM
DPU5Vlwa5MTZ3z3c52/pGzx025nFzceSQ8MDRw4d/3ctv4vnhNx/DtM5r5/PC1/lUfEV9r9+Krut
/WdGpmP6d+vvcH2Z+Oyk90XayL3sBz835W/Tv710CkrR3+BXuH7lV+i/PK+u8/769UNf8foSSu7T
v+j15Vn2qCXL9csr5+xS8uLbpHiX5BaS91B5/Lz16/5F8hI/cnz++rWZU8l//Gj8V//7odM7vl//
cuSDB1c+PjV48IVrn/6n9gc2HH216uPSP11IR4JULQ95HJPeG//zvY4ffvZWeLxSfKH17MJmF176
93A9q5byBeuZpaOTjSXZ7B20IQ+JXbS35k0uzeM6sY822IfEEK0yA3SqOEb6Pj7Z2xHicIwLc3WR
jy+6utivnfeY7QzSdIH1r7czV5mT4zVOqZOtctxDU/48e/m667zQOJ/Thdf6TXq5iiYg0JLCSjo+
4bv4GBjyFEQG5mnGsZ\Iæ1\Iæ1…>E0lQÂô
ePÀP¢ÓYaOnp00OQ9a/zZQ5SZasPt4MU+QJkrlFw7FMHphbH/Jx29Zyv7D5y9lwxl/
/+1yLZtp6nYOOTMhPgGJ/rp96UNDLQPJnmNH+o4OL9y/1d8/IBejh/dm3N09jn5ejBwVjzabi5GT
ViNzMVrT382L0R/tG3TSamQtRktWWEtRso+XosvXNGePmUvRqWbHPV8+g/3hjRt+4uDtq717cAq9
jzAfDrU7cVBCuPg/B8f3hs5m8+Q3+HU61fINLrvQ0J+gbHLC8Tklbd4T4xsYZdbF7P2yfXf8V88c
HF6yJtD65//j9M83ePcl6KIEK8vb6naKHCqXuOe+PgvFKb5rwdhTV4h/trtjfH4gX2P13yV+Pfi7
rTqvaNT7tvMe33RdXH/IfYFCnV863eb5ZdRhXq+HXv/kHrtXMv//sFnW2MD/GueXz+msfvw+5Xtk
ZbOXr9uplwsW1zmTv+ba8zO0/bfCqt3DNafZS9Telf2S7f/yvPZPe4pfsv23z2v/Bm8qvjr/133J
L9l++rz2p8qzX7L9d85r/9qC4pdsXziv/fJFwvnl2u89r/3SS7DNb2pvP8q55pSwr1twyET26xPy
s4s87Da/6XFh+8/DurDF73y2W+duutvQb0SSLJOYYcmy25WmXCFlvyXL+qAlyxvWCbBpB7nDlF1S
ToN+BHBGAScHNuMgTwJOEfQlwJkBnFmwmQfZcJj9kjedqxy6j2kHcHMANwdwA5txkCcdwA30JcCZ
AZxZsJkH2XBqnCqn1tc4NU7CqXGSYJMCucuU+YZ8xqn7OAk2RcAsAeY02MyCPA/cDJfWV7k0To1L
4wTBJglyypQ5LrpcmlsBbKYAcxowZ8BmDmQOWItbpVvr/W6NE3RrnATYtIPcYcr8BkXaDX4DmyJg
lgBzGmxmQZ4HboYH/OYBv3nAb2CTBDllyvwmZZcl+yUHkt0ky+GZk/qsuS+SCcKe1/OWPW9OvLpf
hhf4eIGPF/iATRLklFf3qwv0GcDJAs4o2IyBPOHV8VAAbpU+GEcfjKMPxhFs2kHu8GluadCPAM4o
4OTAZhzkScApgr4EODOAMws28yAbhtkv+UZZlaH72GFom7ShMUcMjZkFmxzI44bmNgn6IuCUAGca
bGZBngccowzioQzioQziAWySIKdMmd+M6yrTfSyCTQkwZwBzFmzmQTbKNbeqcq2vKdc4iXKNkwSb
FMhdgJMBfRZwcoAzBjYTIBdMmd8InSrXfeQ7XpZN5QKN6V+gMWvAJgFy+Z\Iæ1\Iæ1…>E0lQÂô
ePÀPµÖwLNrQP0acAZAZws2ORA
HjdlXmMnF2huVRXgtwrwWwX4DWxSIHdVgN9AnwWcHOCMgc0EyAVT5rw6VaG5VS7UNv6FGjO4UGMm
wKYd5I6Fmlsa9COAMwo4ObAZB3kScIqgLwHODODMgs08yMYis1/yzfGqRbqPqUXgz0UaM7NIY46A
zSjIY4s0twnQFwBnCnBKYDMD8hzg8CcL7Fi9BGL1EohVsEmA3G7K/IZ6xyW6j0WwKQHmDGDOgs08
yEal5lZVCbFaCbFaCbEKNimQuwAnA/os4OQAZwxsJkAumDLn6qlK3UfjUm1TdanGrLlUYwbBJgly
6lLNrQv0GcDJAs4o2IyBPGHK/EGnwqWaW9Vi8Nti8Nti8BvYpEDuWgx+A30WcHKAMwY2EyAXAGcK
9NOAMws4c2DDn26xY9KU+cNg/st0HzNgk70MuF0G3MBmAuTCZcAN9NOAMws4c2DDn7qxuZkyf5zI
b8nb5Xgt0Xuwaam/yB5sxrKXe

This file has been truncated. Go here to download in full.


eve.json - (953797 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
{"timestamp":"2019-01-24T16:22:08.517438+0000","flow_id":2071376394511678,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.24.101","src_port":55818,"dest_ip":"192.168.137.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21287,"rrname":"akcer.cz","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-24T16:22:08.536114+0000","flow_id":2071376394511678,"pcap_cnt":2,"event_type":"dns","src_ip":"192.168.137.1","src_port":53,"dest_ip":"10.1.24.101","dest_port":55818,"proto":"UDP","dns":{"type":"answer","id":21287,"rcode":"NOERROR","rrname":"akcer.cz","rrtype":"A","ttl":1700,"rdata":"81.2.194.244"}}
{"timestamp":"2019-01-24T16:22:09.197063+0000","flow_id":922653031410523,"pcap_cnt":12,"event_type":"http","src_ip":"10.1.24.101","src_port":49158,"dest_ip":"81.2.194.244","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"akcer.cz","url":"\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:22:09.396867+0000","flow_id":922653031410523,"pcap_cnt":14,"event_type":"fileinfo","src_ip":"81.2.194.244","src_port":80,"dest_ip":"10.1.24.101","dest_port":49158,"proto":"TCP","http":{"hostname":"akcer.cz","url":"\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/akcer.cz\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf\/","length":316},"app_proto":"http","fileinfo":{"filename":"\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf","gaps":false,"state":"CLOSED","stored":false,"size":316,"tx_id":0}}
{"timestamp":"2019-01-24T16:22:09.725637+0000","flow_id":922653031410523,"pcap_cnt":71,"event_type":"alert","src_ip":"81.2.194.244","src_port":80,"dest_ip":"10.1.24.101","dest_port":49158,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2020657,"rev":2,"signature":"ET TROJAN Possible malicious Office doc hidden in XML file","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-24T16:22:10.225255+0000","flow_id":922653031410523,"pcap_cnt":377,"event_type":"http","src_ip":"10.1.24.101","src_port":49158,"dest_ip":"81.2.194.244","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"akcer.cz","url":"\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml"}}
{"timestamp":"2019-01-24T16:22:10.906159+0000","flow_id":922653031410523,"pcap_cnt":395,"event_type":"fileinfo","src_ip":"81.2.194.244","src_port":80,"dest_ip":"10.1.24.101","dest_port":49158,"proto":"TCP","http":{"hostname":"akcer.cz","url":"\/sGpwf-0HQoA4aMhU3pbVz_QlJGdXSP-sf\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":241723},"app_proto":"http","fileinfo":{"filename":"BIZ_6OBBIONQ_01_24_19.doc","gaps":false,"state":"CLOSED","stored":false,"size":241454,"tx_id":1}}
{"timestamp":"2019-01-24T16:22:33.104493+0000","flow_id":1797744029702189,"pcap_cnt":400,"event_type":"dns","src_ip":"10.1.24.101","src_port":64707,"dest_ip":"192.168.137.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40423,"rrname":"khomyphamhanoi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-24T16:22:33.812445+0000","flow_id":1797744029702189,"pcap_cnt":401,"event_type":"dns","src_ip":"192.168.137.1","src_port":53,"dest_ip":"10.1.24.101","dest_port":64707,"proto":"UDP","dns":{"type":"answer","id":40423,"rcode":"NOERROR","rrname":"khomyphamhanoi.com","rrtype":"A","ttl":3600,"rdata":"112.78.2.95"}}
{"timestamp":"2019-01-24T16:22:34.350550+0000","flow_id":34677134554964,"pcap_cnt":408,"event_type":"http","src_ip":"10.1.24.101","src_port":49160,"dest_ip":"112.78.2.95","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"khomyphamhanoi.com","url":"\/TvTwWqcK0","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:22:34.618740+0000","flow_id":34677134554964,"pcap_cnt":409,"event_type":"fileinfo","src_ip":"112.78.2.95","src_port":80,"dest_ip":"10.1.24.101","dest_port":49160,"proto":"TCP","http":{"hostname":"khomyphamhanoi.com","url":"\/TvTwWqcK0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/khomyphamhanoi.com\/TvTwWqcK0\/","length":244},"app_proto":"http","fileinfo":{"filename":"\/TvTwWqcK0","gaps":false,"state":"CLOSED","stored":false,"size":244,"tx_id":0}}
{"timestamp":"2019-01-24T16:22:35.125665+0000","flow_id":34677134554964,"pcap_cnt":454,"event_type":"alert","src_ip":"112.78.2.95","src_port":80,"dest_ip":"10.1.24.101","dest_port":49160,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-24T16:22:35.125665+0000","flow_id":34677134554964,"pcap_cnt":454,"event_type":"alert","src_ip":"112.78.2.95","src_port":80,"dest_ip":"10.1.24.101","dest_port":49160,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-24T16:22:35.125665+0000","flow_id":34677134554964,"pcap_cnt":454,"event_type":"alert","src_ip":"112.78.2.95","src_port":80,"dest_ip":"10.1.24.101","dest_port":49160,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-24T16:22:35.656508+0000","flow_id":34677134554964,"pcap_cnt":655,"event_type":"http","src_ip":"10.1.24.101","src_port":49160,"dest_ip":"112.78.2.95","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"khomyphamhanoi.com","url":"\/TvTwWqcK0\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2019-01-24T16:24:07.361023+0000","flow_id":2137832431051878,"pcap_cnt":679,"event_type":"alert","src_ip":"10.1.24.101","src_port":49164,"dest_ip":"190.216.238.62","dest_port":22,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2003068,"rev":7,"signature":"ET SCAN Potential SSH Scan OUTBOUND","category":"Attempted Information Leak","severity":2}}
{"timestamp":"2019-01-24T16:25:30.977941+0000","flow_id":165828267353146,"pcap_cnt":748,"event_type":"http","src_ip":"10.1.24.101","src_port":49168,"dest_ip":"200.68.61.242","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:25:31.418550+0000","flow_id":165828267353146,"pcap_cnt":757,"event_type":"fileinfo","src_ip":"200.68.61.242","src_port":8080,"dest_ip":"10.1.24.101","dest_port":49168,"proto":"TCP","http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":33012},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":33012,"tx_id":0}}
{"timestamp":"2019-01-24T16:25:32.596546+0000","flow_id":165828267353146,"pcap_cnt":759,"event_type":"http","src_ip":"10.1.24.101","src_port":49168,"dest_ip":"200.68.61.242","dest_port":8080,"proto":"TCP","tx_id":1,"http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:26:36.578728+0000","flow_id":165828267353146,"pcap_cnt":761,"event_type":"fileinfo","src_ip":"200.68.61.242","src_port":8080,"dest_ip":"10.1.24.101","dest_port":49168,"proto":"TCP","http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-24T16:40:27.437083+0000","flow_id":1582686497580206,"pcap_cnt":771,"event_type":"http","src_ip":"10.1.24.101","src_port":49169,"dest_ip":"200.68.61.242","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:41:32.429412+0000","flow_id":1582686497580206,"pcap_cnt":772,"event_type":"fileinfo","src_ip":"200.68.61.242","src_port":8080,"dest_ip":"10.1.24.101","dest_port":49169,"proto":"TCP","http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":0}}
{"timestamp":"2019-01-24T16:55:57.972232+0000","flow_id":1007633384624582,"pcap_cnt":805,"event_type":"http","src_ip":"10.1.24.101","src_port":49170,"dest_ip":"200.68.61.242","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"200.68.61.242","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:56:00.020250+0000","flow_id":1103750460474456,"pcap_cnt":1809,"event_type":"http","src_ip":"10.1.24.101","src_port":49171,"dest_ip":"189.250.153.215","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:56:00.175986+0000","flow_id":1103750460474456,"pcap_cnt":1816,"event_type":"fileinfo","src_ip":"189.250.153.215","src_port":443,"dest_ip":"10.1.24.101","dest_port":49171,"proto":"TCP","http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":583652},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":583652,"tx_id":0}}
{"timestamp":"2019-01-24T16:56:00.406170+0000","flow_id":1103750460474456,"pcap_cnt":1818,"event_type":"http","src_ip":"10.1.24.101","src_port":49171,"dest_ip":"189.250.153.215","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T16:57:05.406563+0000","flow_id":1103750460474456,"pcap_cnt":1819,"event_type":"fileinfo","src_ip":"189.250.153.215","src_port":443,"dest_ip":"10.1.24.101","dest_port":49171,"proto":"TCP","http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-24T17:10:24.697915+0000","flow_id":1377481667907243,"pcap_cnt":1829,"event_type":"http","src_ip":"10.1.24.101","src_port":49172,"dest_ip":"189.250.153.215","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T17:11:29.695229+0000","flow_id":1377481667907243,"pcap_cnt":1830,"event_type":"fileinfo","src_ip":"189.250.153.215","src_port":443,"dest_ip":"10.1.24.101","dest_port":49172,"proto":"TCP","http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":0}}
{"timestamp":"2019-01-24T17:25:13.034319+0000","flow_id":1542460009915662,"pcap_cnt":1840,"event_type":"http","src_ip":"10.1.24.101","src_port":49173,"dest_ip":"189.250.153.215","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T17:26:18.033458+0000","flow_id":1542460009915662,"pcap_cnt":1841,"event_type":"fileinfo","src_ip":"189.250.153.215","src_port":443,"dest_ip":"10.1.24.101","dest_port":49173,"proto":"TCP","http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":0}}
{"timestamp":"2019-01-24T17:39:50.370896+0000","flow_id":1242448011831988,"pcap_cnt":1888,"event_type":"http","src_ip":"10.1.24.101","src_port":49174,"dest_ip":"189.250.153.215","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-24T17:39:50.672888+0000","flow_id":1242448011831988,"pcap_cnt":1890,"event_type":"fileinfo","src_ip":"189.250.153.215","src_port":443,"dest_ip":"10.1.24.101","dest_port":49174,"proto":"TCP","http":{"hostname":"189.250.153.215","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","pr

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-01-28-T-12-16-17-01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap.txt - (2017 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
01/24/2019-16:22:09.725637  [**] [1:2020657:2] ET TROJAN Possible malicious Office doc hidden in XML file [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 81.2.194.244:80 -> 10.1.24.101:49158
01/24/2019-16:22:35.125665  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 112.78.2.95:80 -> 10.1.24.101:49160
01/24/2019-16:22:35.125665  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 112.78.2.95:80 -> 10.1.24.101:49160
01/24/2019-16:22:35.125665  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 112.78.2.95:80 -> 10.1.24.101:49160
01/24/2019-16:24:07.361023  [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.24.101:49164 -> 190.216.238.62:22
01/24/2019-17:57:36.186503  [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.24.101:49185 -> 190.216.238.62:22
01/24/2019-19:15:38.559776  [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.24.101:49353 -> 190.216.238.62:22
01/24/2019-19:22:45.701662  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 190.210.196.57:25 -> 10.1.24.101:49389
01/24/2019-19:25:03.974512  [**] [1:2012982:4] ET SMTP Abuseat.org Block Message [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.252.144.63:25 -> 10.1.24.101:49445
01/24/2019-19:28:28.779220  [**] [1:2011540:6] ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 200.69.135.234:25 -> 10.1.24.101:49598


keyword_perf.log - (18059 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:16:16
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            54636           18              18              4850            3035.00         3035.00         0.00           
  flow             43941954        11721           11721           6741624         3748.00         3748.00         0.00           
  threshold        75879           18              3               9456            4215.00         3226.00         4413.00        
  content          190724770       21362           13548           6174574         8928.00         7795.00         10891.00       
  pcre             15452752        3365            880             119563          4592.00         4846.00         4502.00        
  byte_test        27341261        8602            4160            94682           3178.00         3322.00         3043.00        
  byte_jump        362277          102             20              5414            3551.00         3305.00         3611.00        
  isdataat         2012644         677             0               30522           2972.00         0.00            2972.00        
  flowbits         1089809         337             42              29791           3233.00         3743.00         3161.00        
  urilen           5184022         1615            335             37081           3209.00         3419.00         3155.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            54636           18              18              4850            3035.00         3035.00         0.00           
  flow             43941954        11721           11721           6741624         3748.00         3748.00         0.00           
  flowbits         1022248         323             28              29791           3164.00         3202.00         3161.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42552564        10463           6859            423363          4066.00         4024.00         4148.00        
  pcre             6276526         1534            223             83169           4091.00         3660.00         4164.00        
  byte_test        27341261        8602            4160            94682           3178.00         3322.00         3043.00        
  byte_jump        340837          95              13              5414            3587.00         3435.00         3611.00        
  isdataat         2012644         677             0               30522           2972.00         0.00            2972.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         67561           14              14              7530            4825.00         4825.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        75879           18              3               9456            4215.00         3226.00         4413.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1512179         431             108             15456           3508.00         3867.00         3388.00        
  pcre             1665476         354             86              66006           4704.00         4478.00         4777.00        
  urilen           5184022         1615            335             37081           3209.00         3419.00         3155.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          143650          42              0               4148            3420.00         0.00            3420.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          106099298       1881            561             6174574         56405.00        82639.00        45256.00       
  pcre             2255461         526             0               119563          4287.00         0.00            4287.00        
  byte_jump        21440           7               7               4050            3062.00         3062.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28911690        5559            4385            5786845         5200.00         5552.00         3889.00        
  pcre             4300912         784             405             39886           5485.00         5219.00         5770.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1039609         272             166             16148           3822.00         4114.00         3363.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          410684          94              94              34811           4368.00         4368.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          227410          48              48              42203           4737.00         4737.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3936            1               0               3936            3936.00         0.00            3936.00        
  pcre             4841            1               0               4841            4841.00         0.00            4841.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1580540         429             210             54686           3684.00         4327.00         3067.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             358565          48              48              46196           7470.00         7470.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6642264         1702            1080            60018           3902.00         4174.00         3430.00        
  pcre             590971          118             118             33700           5008.00         5008.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3262            1               0               3262            3262.00         0.00            3262.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          387368          115             1               4526            3368.00         3653.00         3365.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          128363          13              0               54641           9874.00         0.00            9874.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg     

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-28-T-12-16-17-01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap.txt - (96086 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:16:16. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2017552      1        6        64163235     7.14   2543     0        19228579    25231.32    0.00        25231.32   
  2        2801930      1        7        8435002      0.94   56       0        7621055     150625.04   0.00        150625.04  
  3        2024272      1        4        9009869      1.00   53       0        6971834     169997.53   0.00        169997.53  
  4        2016537      1        2        43583344     4.85   2484     2        6756747     17545.63    63148.50    17508.88   
  5        2806802      1        2        14325772     1.59   321      0        6197576     44628.57    0.00        44628.57   
  6        2014130      1        2        6557872      0.73   117      0        6195119     56050.19    0.00        56050.19   
  7        2820157      1        2        40431084     4.50   167      0        6175388     242102.30   0.00        242102.30  
  8        2020865      1        3        22094143     2.46   111      0        6126758     199046.33   0.00        199046.33  
  9        2018242      1        5        7950958      0.89   57       0        6011707     139490.49   0.00        139490.49  
  10       2025064      1        5        8075091      0.90   59       0        5827983     136865.95   0.00        136865.95  
  11       2819930      1        2        25764764     2.87   126      0        3305980     204482.25   0.00        204482.25  
  12       2820158      1        2        31008617     3.45   167      0        2051480     185680.34   0.00        185680.34  
  13       2801929      1        7        1763712      0.20   56       0        733346      31494.86    0.00        31494.86   
  14       2826281      1        2        11928919     1.33   719      0        683147      16590.99    0.00        16590.99   
  15       2815453      1        4        604412       0.07   1        0        604412      604412.00   0.00        604412.00  
  16       2018005      1        6        18332656     2.04   213      0        542528      86068.81    0.00        86068.81   
  17       2819664      1        2        22537964     2.51   126      0        541010      178872.73   0.00        178872.73  
  18       2024777      1        2        2325133      0.26   539      0        525060      4313.79     0.00        4313.79    
  19       2002993      1        7        6521969      0.73   2099     0        436653      3107.18     0.00        3107.18    
  20       2014703      1        9        13388670     1.49   1438     0        436517      9310.62     0.00        9310.62    
  21       2802987      1        5        976074       0.11   52       0        414889      18770.65    0.00        18770.65   
  22       2804907      1        3        804715       0.09   29       0        409525      27748.79    0.00        27748.79   
  23       2803657      1        5        621633       0.07   42       0        406743      14800.79    0.00        14800.79   
  24       2806561      1        5        7201182      0.80   2201     0        398517      3271.78     0.00        3271.78    
  25       2804927      1        2        570255       0.06   54       0        397563      10560.28    0.00        10560.28   
  26       2023476      1        5        4400751      0.49   22       0        394743      200034.14   0.00        200034.14  
  27       2003068      1        7        7068431      0.79   2099     18       391850      3367.52     16617.11    3252.92    
  28       2010938      1        3        6403094      0.71   2099     0        388517      3050.55     0.00        3050.55    
  29       2804911      1        3        1214715      0.14   80       0        372844      15183.94    0.00        15183.94   
  30       2804906      1        3        495734       0.06   42       0        371566      11803.19    0.00        11803.19   
  31       2816510      1        3        574804       0.06   2        0        311156      287402.00   0.00        287402.00  
  32       2021621      1        6        3195512      0.36   18       0        275841      177528.44   0.00        177528.44  
  33       2018375      1        3        1837353      0.20   104      0        274213      17666.86    0.00        17666.86   
  34       2022543      1        1        10834498     1.21   675      0        269630      16051.11    0.00        16051.11   
  35       2819940      1        3        524692       0.06   2        0        268531      262346.00   0.00        262346.00  
  36       2823788      1        4        2458745      0.27   719      0        261961      3419.67     0.00        3419.67    
  37       2803027      1        6        589418       0.07   63       0        242182      9355.84     0.00        9355.84    
  38       2022279      1        2        223874       0.02   1        0        223874      223874.00   0.00        223874.00  
  39       2807400      1        3        424318       0.05   4        0        221775      106079.50   0.00        106079.50  
  40       2018982      1        2        459791       0.05   4        0        218826      114947.75   0.00        114947.75  
  41       2805985      1        2        425343       0.05   4        0        216820      106335.75   0.00        106335.75  
  42       2020569      1        1        416590       0.05   4        0        216665      104147.50   0.00        104147.50  
  43       2022627      1        12       1935040      0.22   22       0        202283      87956.36    0.00        87956.36   
  44       2022535      1        11       1983209      0.22   22       0        192317      90145.86    0.00        90145.86   
  45       2807932      1        6        366764       0.04   2        0        185205      183382.00   0.00        183382.00  
  46       2808234      1        1        477061       0.05   4        0        178840      119265.25   0.00        119265.25  
  47       2008120      1        4        4501910      0.50   1439     0        177016      3128.50     0.00        3128.50    
  48       2022050      1        3        408234       0.05   4        0        176496      102058.50   0.00        102058.50  
  49       2022508      1        2        168282       0.02   1        0        168282      168282.00   0.00        168282.00  
  50       2828008      1        2        3607215      0.40   59       0        151764      61139.24    0.00        61139.24   
  51       2024829      1        2        2943793      0.33   131      0        145589      22471.70    0.00        22471.70   
  52       2008575      1        5        1131272      0.13   148      0        142831      7643.73     0.00        7643.73    
  53       2012970      1        2        147210       0.02   3        0        141084      49070.00    0.00        49070.00   
  54       2811447      1        2        2549037      0.28   78       0        139370      32679.96    0.00        32679.96   
  55       2025330      1        1        388857       0.04   4        0        132901      97214.25    0.00        97214.25   
  56       2809981      1        3        253520       0.03   2        0        129999      126760.00   0.00        126760.00  
  57       2816931      1        3        1751797      0.20   59       0        129076      29691.47    0.00        29691.47   
  58       2830701      1        1        4230656      0.47   53       0        128692      79823.70    0.00        79823.70   
  59       2808503      1        2        247189       0.03   2        0        128581      123594.50   0.00        123594.50  
  60       2012981      1        5        127615       0.01   2        0        124399      63807.50    0.00        63807.50   
  61       2809747      1        2        124329       0.01   1        0        124329      124329.00   0.00        124329.00  
  62       2019344      1        5        3654033      0.41   57       4        124125      64105.84    75160.00    63271.57   
  63       2009897      1        14       272812       0.03   4        0        122390      68203.00    0.00        68203.00   
  64       2018358      1        7        4875490      0.54   57       0        121180      85534.91    0.00        85534.91   
  65       2012906      1        4        120677       0.01   1        0        120677      120677.00   0.00        120677.00  
  66       2022480      1        2        2212593      0.25   40       0        118950      55314.82    0.00        55314.82   
  67       2809855      1        2        221946       0.02   2        0        118419      110973.00   0.00        110973.00  
  68       2809923      1        2        221909       0.02   2        0        117853      110954.50   0.00        110954.50  
  69       2018789      1        3        2022081      0.23   212      0        117129      9538.12     0.00        9538.12    
  70       2021375      1        2        220568       0.02   2        0        116643      110284.00   0.00        110284.00  
  71       2014701      1        12       17402500     1.94   1438     0        115527      12101.88    0.00        12101.88   
  72       2014702      1        9        13226818     1.47   1438     0        115177      9198.07     0.00        9198.07    
  73       2001330      1        8        11112096     1.24   3625     0        112877      3065.41     0.00        3065.41    
  74       2819857      1        1        218427       0.02   4        0        111708      54606.75    0.00        54606.75   
  75       2001580      1        15       6184018      0.69   2099     0        111694      2946.17     0.00        2946.17    
  76       2827279      1        5        3760960      0.42   59       0        110029      63745.08    0.00        63745.08   
  77       2811542      1        1        2710978      0.30   214      0        105975      12668.12    0.00        12668.12   
  78       2811544      1        1        6872004      0.77   656      0        103851      10475.62    0.00        10475.62   
  79       2020388      1        8        2503656      0.28   59       0        101726      42434.85    0.00        42434.85   
  80       2025200      1        1        4677330      0.52   1441     0        99932       3245.89     0.00        3245.89    
  81       2023315      1        2        2161348      0.24   57       0        98983       37918.39    0.00        37918.39   
  82       2816910      1        2        3490951      0.39   59       0        97513       59168.66    0.00        59168.66   
  83       2022339      1        2        2753696      0.31   57       0        96030       48310.46    0.00        48310.46   
  84       2810451      1        5        149574       0.02   7        0        95638       21367.71    0.00        21367.71   
  85       2019230      1        2        9533797      1.06   919      0        93161       10374.10    0.00        10374.10   
  86       2811577      1        2        6883102      0.77   656      0        91974       10492.53    0.00        10492.53   
  87       2816909      1        2        3502645      0.39   59       0        91444       59366.86    0.00        59366.86   
  88       2009702      1        5        18079316     2.01   1438     0        91192       12572.54    0.00        12572.54   
  89       2816165      1        5        2253127      0.25   61       0        90063       36936.51    0.00        36936.51   
  90       2806020      1        2        89677        0.01   1        0        89677       89677.00    0.00        89677.00   
  91       2008299      1        4        132862       0.01   14       0        89447       9490.14     0.00        9490.14    
  92       2022198      1        2        326284       0.04   9        0        88925       36253.78    0.00        36253.78   
  93       2802991      1        5        226942       0.03   44       0        88403       5157.77     0.00        5157.77    
  94       2017613      1        9        2027015      0.23   57       0        87543       35561.67    0.00        35561.67   
  95       2830764      1        2        267379       0.03   14       0        87034       19098.50    0.00        19098.50   
  96       2814979      1        2        832211       0.09   213      0        87021       3907.09     0.00        3907.09    
  97       2018958      1        18       2521985      0.28   57       0        86635       44245.35    0.00        44245.35   
  98       2802881      1        3        89350        0.01   2        0        86451       44675.00    0.00        44675.00   
  99       2023875      1        2        1895088      0.21   57       0        85375       33247.16    0.00        33247.16   
  100      2816940      1        2        3315922      0.37   59       0        85143       56202.07    0.00        56202.07   
  101      2019693      1        5        1767898      0.20   57       0        84937       31015.75    0.00        31015.75   
  102      2803760      1        3        11364696     1.27   719      0        83690       15806.25    0.00        15806.25   
  103      2816927      1        3        1707398      0.19   59       0        82819       28938.95    0.00        28938.95   
  104      2019832      1        4        120916       0.01   2        0        82447       60458.00    0.00        60458.00   
  105      2816925      1        3        1714114      0.19   59       0        80372       29052.78    0.00        29052.78   
  106      2829607      1        1        80033        0.01   1        1        80033       80033.00    80033.00    0.00       
  107      2022262      1        3        1805018      0.20   57       0        79685       31666.98    0.00        31666.98   
  108      2823570      1        4        2125581      0.24   53       0        79339       40105.30    0.00        40105.30   
  109      2802880      1        3        94153        0.01   6        0        79045       15692.17    0.00        15692.17   
  110      2024178      1        2        1403460      0.16   57       0        78733       24622.11    0.00        24622.11   
  111      2827202      1        3        278066       0.03   4        0        78081       69516.50    0.00        69516.50   
  112      2009909      1        10       258816       0.03   4        0        77569       64704.00    0.00        64704.00   
  113      2022049      1        3        1378275      0.15   57       0        77567       24180.26    0.00        24180.26   
  114      2013441      1        9        219467       0.02   4        0        75936       54866.75    0.00        54866.75   
  115      2023670      1        3        2033486      0.23   57       4        75337       35675.19    41182.25    35259.57   
  116      2020741      1        1        1258986      0.14   40       0        73418       31474.65    0.00        31474.65   
  117      2816928      1        3        1714045      0.19   59       0        73360       29051.61    0.00        29051.61   
  118      2019881      1        3        2043216      0.23   57       0        73351       35845.89    0.00        35845.89   
  119      2024720      1        3        264451       0.03   4        0        72769       66112.75    0.00        66112.75   
  120      2018316      1        4        1337975      0.15   40       0        72344       33449.38    0.00        33449.38   
  121      2008438      1        20       207161       0.02   4        0        71970       51790.25    0.00        51790.25   
  122      2816922      1        5        1754677      0.20   59       0        70905       29740.29    0.00        29740.29   
  123      2805442      1        2        287049       0.03   64       0        70149       4485.14     0.00        4485.14    
  124      2020369      1        3        205951       0.02   4        0        69957       51487.75    0.00        51487.75   
  125      2024767      1        2        1

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1181 bytes) - download
1
2
3
4
5
6
7
8
2019-01-28 12:15:52,220 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 12:15:52,968 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 12:15:52,968 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-28 12:15:52,969 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 12:15:52,969 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 12:15:52,969 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9c1a8d4f27d7c5d6ea7eef98301843dc56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1215-2019-01-24-Emotet-infection-with-spamming.pcap -vvv -k none
2019-01-28 12:16:17,054 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 12:16:17,054 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 24.8422961235