--------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:58:04. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820158      1        2        3084664      10.83  13       0        516972      237281.85   0.00        237281.85  
  2        2022627      1        12       1690459      5.94   6        0        318520      281743.17   0.00        281743.17  
  3        2020865      1        3        1604301      5.63   12       0        233369      133691.75   0.00        133691.75  
  4        2820157      1        2        1885088      6.62   13       0        173377      145006.77   0.00        145006.77  
  5        2023476      1        5        766231       2.69   6        6        170246      127705.17   127705.17   0.00       
  6        2022535      1        11       768973       2.70   6        0        156592      128162.17   0.00        128162.17  
  7        2023583      1        4        86506        0.30   1        1        86506       86506.00    86506.00    0.00       
  8        2814978      1        2        156632       0.55   6        0        80087       26105.33    0.00        26105.33   
  9        2828123      1        2        67690        0.24   1        1        67690       67690.00    67690.00    0.00       
  10       2816909      1        2        66039        0.23   1        0        66039       66039.00    0.00        66039.00   
  11       2816924      1        4        62856        0.22   1        0        62856       62856.00    0.00        62856.00   
  12       2814979      1        2        136531       0.48   6        0        62087       22755.17    0.00        22755.17   
  13       2018005      1        6        291907       1.03   6        0        61125       48651.17    0.00        48651.17   
  14       2017552      1        6        969567       3.40   68       0        59670       14258.34    0.00        14258.34   
  15       2816940      1        2        57094        0.20   1        0        57094       57094.00    0.00        57094.00   
  16       2816910      1        2        56962        0.20   1        0        56962       56962.00    0.00        56962.00   
  17       2822213      1        2        119438       0.42   6        0        55242       19906.33    0.00        19906.33   
  18       2811447      1        2        967367       3.40   30       0        54704       32245.57    0.00        32245.57   
  19       2025064      1        5        54497        0.19   1        0        54497       54497.00    0.00        54497.00   
  20       2804911      1        3        212883       0.75   20       0        54148       10644.15    0.00        10644.15   
  21       2804906      1        3        159822       0.56   16       0        53334       9988.88     0.00        9988.88    
  22       2803027      1        6        94953        0.33   15       0        53019       6330.20     0.00        6330.20    
  23       2803657      1        5        138388       0.49   21       0        44389       6589.90     0.00        6589.90    
  24       2022552      1        2        257223       0.90   12       0        43910       21435.25    0.00        21435.25   
  25       2804907      1        3        64411        0.23   9        0        43765       7156.78     0.00        7156.78    
  26       2024325      1        3        43739        0.15   1        1        43739       43739.00    43739.00    0.00       
  27       2022502      1        4        40787        0.14   1        0        40787       40787.00    0.00        40787.00   
  28       2802987      1        5        63126        0.22   10       0        38965       6312.60     0.00        6312.60    
  29       2801929      1        7        68179        0.24   12       0        38618       5681.58     0.00        5681.58    
  30       2018055      1        3        674876       2.37   111      0        38217       6079.96     0.00        6079.96    
  31       2802991      1        5        81444        0.29   17       0        38149       4790.82     0.00        4790.82    
  32       2009702      1        5        39963        0.14   2        0        37121       19981.50    0.00        19981.50   
  33       2024771      1        1        620451       2.18   111      0        36399       5589.65     0.00        5589.65    
  34       2022609      1        2        36190        0.13   1        0        36190       36190.00    0.00        36190.00   
  35       2820851      1        5        35823        0.13   1        0        35823       35823.00    0.00        35823.00   
  36       2830124      1        1        35530        0.12   1        0        35530       35530.00    0.00        35530.00   
  37       2801930      1        7        63226        0.22   12       0        34686       5268.83     0.00        5268.83    
  38       2804927      1        2        82926        0.29   19       0        34603       4364.53     0.00        4364.53    
  39       2018457      1        1        80945        0.28   6        0        33696       13490.83    0.00        13490.83   
  40       2018789      1        3        132383       0.46   6        0        33231       22063.83    0.00        22063.83   
  41       2816327      1        4        31590        0.11   1        0        31590       31590.00    0.00        31590.00   
  42       2821615      1        2        31575        0.11   1        0        31575       31575.00    0.00        31575.00   
  43       2815817      1        5        30373        0.11   1        0        30373       30373.00    0.00        30373.00   
  44       2816328      1        5        29555        0.10   1        0        29555       29555.00    0.00        29555.00   
  45       2025162      1        2        29500        0.10   1        0        29500       29500.00    0.00        29500.00   
  46       2816619      1        2        626001       2.20   111      0        29157       5639.65     0.00        5639.65    
  47       2829644      1        1        29129        0.10   1        0        29129       29129.00    0.00        29129.00   
  48       2816525      1        10       28663        0.10   1        0        28663       28663.00    0.00        28663.00   
  49       2816526      1        13       28575        0.10   1        0        28575       28575.00    0.00        28575.00   
  50       2809859      1        6        28570        0.10   1        0        28570       28570.00    0.00        28570.00   
  51       2816356      1        2        28540        0.10   1        0        28540       28540.00    0.00        28540.00   
  52       2806802      1        2        767740       2.70   40       0        28194       19193.50    0.00        19193.50   
  53       2816929      1        4        28190        0.10   1        0        28190       28190.00    0.00        28190.00   
  54       2819694      1        2        76870        0.27   3        0        27695       25623.33    0.00        25623.33   
  55       2816922      1        5        27488        0.10   1        0        27488       27488.00    0.00        27488.00   
  56       2816925      1        3        27286        0.10   1        0        27286       27286.00    0.00        27286.00   
  57       2816931      1        3        27240        0.10   1        0        27240       27240.00    0.00        27240.00   
  58       2018359      1        3        27222        0.10   1        0        27222       27222.00    0.00        27222.00   
  59       2018375      1        3        255805       0.90   18       0        27220       14211.39    0.00        14211.39   
  60       2816930      1        4        27052        0.09   1        0        27052       27052.00    0.00        27052.00   
  61       2819673      1        4        26961        0.09   1        0        26961       26961.00    0.00        26961.00   
  62       2816927      1        3        26914        0.09   1        0        26914       26914.00    0.00        26914.00   
  63       2816928      1        3        26774        0.09   1        0        26774       26774.00    0.00        26774.00   
  64       2020661      1        3        264588       0.93   22       0        25976       12026.73    0.00        12026.73   
  65       2016537      1        2        952183       3.34   67       0        24974       14211.69    0.00        14211.69   
  66       2001330      1        8        2104029      7.39   760      0        24904       2768.46     0.00        2768.46    
  67       2807130      1        4        80705        0.28   5        0        23620       16141.00    0.00        16141.00   
  68       2014701      1        12       26115        0.09   2        0        23492       13057.50    0.00        13057.50   
  69       2024829      1        2        102110       0.36   5        0        23056       20422.00    0.00        20422.00   
  70       2827505      1        2        22605        0.08   1        0        22605       22605.00    0.00        22605.00   
  71       2020766      1        2        22595        0.08   1        0        22595       22595.00    0.00        22595.00   
  72       2827279      1        5        22475        0.08   1        0        22475       22475.00    0.00        22475.00   
  73       2019083      1        2        22438        0.08   1        0        22438       22438.00    0.00        22438.00   
  74       2012707      1        5        22292        0.08   1        0        22292       22292.00    0.00        22292.00   
  75       2830035      1        2        22265        0.08   1        0        22265       22265.00    0.00        22265.00   
  76       2808577      1        5        1742628      6.12   651      0        22186       2676.85     0.00        2676.85    
  77       2826256      1        2        22163        0.08   1        0        22163       22163.00    0.00        22163.00   
  78       2809267      1        8        22119        0.08   1        0        22119       22119.00    0.00        22119.00   
  79       2829607      1        1        21925        0.08   1        0        21925       21925.00    0.00        21925.00   
  80       2811279      1        7        21900        0.08   1        0        21900       21900.00    0.00        21900.00   
  81       2828008      1        2        21889        0.08   1        0        21889       21889.00    0.00        21889.00   
  82       2020775      1        2        21728        0.08   1        0        21728       21728.00    0.00        21728.00   
  83       2023316      1        2        21525        0.08   1        0        21525       21525.00    0.00        21525.00   
  84       2804626      1        9        21451        0.08   1        0        21451       21451.00    0.00        21451.00   
  85       2020792      1        2        21441        0.08   1        0        21441       21441.00    0.00        21441.00   
  86       2808852      1        4        21430        0.08   1        0        21430       21430.00    0.00        21430.00   
  87       2815480      1        6        21266        0.07   1        0        21266       21266.00    0.00        21266.00   
  88       2024909      1        2        57951        0.20   3        0        21213       19317.00    0.00        19317.00   
  89       2810481      1        4        154777       0.54   8        0        21052       19347.12    0.00        19347.12   
  90       2816165      1        5        21036        0.07   1        0        21036       21036.00    0.00        21036.00   
  91       2020778      1        2        20904        0.07   1        0        20904       20904.00    0.00        20904.00   
  92       2014519      1        7        59057        0.21   3        0        20692       19685.67    0.00        19685.67   
  93       2808851      1        4        20556        0.07   1        0        20556       20556.00    0.00        20556.00   
  94       2815753      1        2        20489        0.07   1        0        20489       20489.00    0.00        20489.00   
  95       2809306      1        4        258828       0.91   18       0        19064       14379.33    0.00        14379.33   
  96       2018477      1        1        400249       1.41   32       0        18576       12507.78    0.00        12507.78   
  97       2016112      1        3        129111       0.45   9        0        17023       14345.67    0.00        14345.67   
  98       2811577      1        2        20628        0.07   2        0        16949       10314.00    0.00        10314.00   
  99       2017748      1        6        115546       0.41   8        0        16678       14443.25    0.00        14443.25   
  100      2826281      1        2        16594        0.06   1        0        16594       16594.00    0.00        16594.00   
  101      2803760      1        3        16268        0.06   1        0        16268       16268.00    0.00        16268.00   
  102      2811544      1        1        19247        0.07   2        0        15986       9623.50     0.00        9623.50    
  103      2022543      1        1        15934        0.06   1        0        15934       15934.00    0.00        15934.00   
  104      2016143      1        3        85881        0.30   6        0        15816       14313.50    0.00        14313.50   
  105      2021701      1        1        70662        0.25   20       0        15674       3533.10     0.00        3533.10    
  106      2823966      1        1        46925        0.16   12       0        15584       3910.42     0.00        3910.42    
  107      2019230      1        2        18741        0.07   2        0        15547       9370.50     0.00        9370.50    
  108      2022547      1        1        206639       0.73   69       0        15516       2994.77     0.00        2994.77    
  109      2801914      1        2        49147        0.17   14       0        15422       3510.50     0.00        3510.50    
  110      2016948      1        2        206228       0.72   15       0        15315       13748.53    0.00        13748.53   
  111      2016502      1        2        69664        0.24   5        0        15235       13932.80    0.00        13932.80   
  112      2014473      1        5        111622       0.39   8        0        14980       13952.75    0.00        13952.75   
  113      2014703      1        9        17349        0.06   2        0        14728       8674.50     0.00        8674.50    
  114      2024650      1        1        109103       0.38   8        0        14615       13637.88    0.00        13637.88   
  115      2014702      1        9        17226        0.06   2        0        14565       8613.00     0.00        8613.00    
  116      2016503      1        2        67799        0.24   5        0        14004       13559.80    0.00        13559.80   
  117      2021152      1        1        52643        0.18   16       0        13029       3290.19     0.00        3290.19    
  118      2018487      1        4        10470        0.04   1        0        10470       10470.00    0.00        10470.00   
  119      2018377      1        3        54766        0.19   18       0        7660        3042.56     0.00        3042.56    
  120      2100327      1        10       32488        0.11   10       0        4756        3248.80     0.00        3248.80    
  121      2100540      1        12       7353         0.03   2        0        4417        3676.50     0.00        3676.50    
  122      2009243      1        2        4310         0.02   1        0        4310        4310.00     0.00        4310.00    
  123      2018382      1        8        54478        0.19   18       0        4299        3026.56     0.00        3026.56    
  124      2024777      1        2        114770       0.40   42       0        4138        2732.62     0.00        2732.62    
  125      2828876      1        1        1

Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1813           171312      255514567     189858962        344.2b   99.99
 IPv4      17             2         10606837       11112848      10859842         21.7m    0.01
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1813            66520       17059396        171432        310.8m   90.06
TMM_FLOWWORKER              IPv4      17             2           432253        1073823        753038          1.5m    0.44
TMM_RECEIVEPCAPFILE         IPv4       6          1798             2539       17785612         15377         27.6m    8.01
TMM_RECEIVEPCAPFILE         IPv4      17             2             3047           4512          3779          7.6k    0.00
TMM_DECODEPCAPFILE          IPv4       6          1798             2652          15234          2840          5.1m    1.48
TMM_DECODEPCAPFILE          IPv4      17             2             3098          13468          8283         16.6k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1798             2721         387787          3595          6.5m  2.36  
flow                    IPv4      17             2             6887          10278          8582         17.2k  0.01  
stream                  IPv4       6          1813             2597         298086          6513         11.8m  4.30  
app-layer               IPv4      17             2            12562          30544         21553         43.1k  0.02  
detect                  IPv4       6          1813            44552       17026603        137860        249.9m  91.08 
detect                  IPv4      17             2           331628         577487        454557        909.1k  0.33  
tcp-prune               IPv4       6          1813             2523          24173          2882          5.2m  1.90  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            72919          72919         72919         72.9k  43.44 
tls                     IPv4       6            11             2743           7261          3650         40.2k  23.92 
dns                     IPv4      17             2             6555           9315          7935         15.9k  9.45  
failed                  IPv4       6            14             2542           3548          2779         38.9k  23.18 
Proto detect            IPv4      17             2            11306          11306         11306         22.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             7            18463          78825         31394        219.8k  9.31  
LOGGER_UNIFIED2             IPv4       6             7            24105         180483         62094        434.7k  18.41 
LOGGER_JSON_ALERT           IPv4       6             7            45263          94463         63191        442.3k  18.74 
LOGGER_JSON_DNS             IPv4      17             2            60445         430827        245636        491.3k  20.81 
LOGGER_JSON_HTTP            IPv4       6             1           127217         127217        127217        127.2k  5.39  
LOGGER_JSON_TLS             IPv4       6             6            49471         123909         83333        500.0k  21.18 
LOGGER_JSON_FILE            IPv4       6             1           145348         145348        145348        145.3k  6.16  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           825             2566         411574         19993        16.5m  27.28 
payload                           IPv4      17             2            29032          29645         29338        58.7k  0.10  
stream                            IPv4       6           825             2540         552921         32867        27.1m  44.84 
http_uri                          IPv4       6             1             8351           8351          8351         8.4k  0.01  
http_request_line                 IPv4       6             1             8204           8204          8204         8.2k  0.01  
http_client_body                  IPv4       6             1             3676           3676          3676         3.7k  0.01  
http_header (request)             IPv4       6             1            66862          66862         66862        66.9k  0.11  
http_header (request trailer)     IPv4       6             1             2647           2647          2647         2.6k  0.00  
http_header_names (request)       IPv4       6             1            26383          26383         26383        26.4k  0.04  
http_accept (request)             IPv4       6             1             3995           3995          3995         4.0k  0.01  
http_referer (request)            IPv4       6             1             3368           3368          3368         3.4k  0.01  
http_content_len (request)        IPv4       6             1             3853           3853          3853         3.9k  0.01  
http_content_type (request)       IPv4       6             1             3431           3431          3431         3.4k  0.01  
http_protocol (request)           IPv4       6             1             5253           5253          5253         5.3k  0.01  
http_start (request)              IPv4       6             1            16111          16111         16111        16.1k  0.03  
http_raw_header (request)         IPv4       6             1            15958          15958         15958        16.0k  0.03  
http_method                       IPv4       6             1             7393           7393          7393         7.4k  0.01  
http_cookie (request)             IPv4       6             1             3753           3753          3753         3.8k  0.01  
http_raw_uri                      IPv4       6             1             4863           4863          4863         4.9k  0.01  
http_user_agent                   IPv4       6             1            29383          29383         29383        29.4k  0.05  
http_host                         IPv4       6             1             7618           7618          7618         7.6k  0.01  
dns_query                         IPv4      17             1             8585           8585          8585         8.6k  0.01  
tls_sni                           IPv4       6             6             2715           3251          2930        17.6k  0.03  
http_response_line                IPv4       6             1            10066          10066         10066        10.1k  0.02  
http_header (response)            IPv4       6             1            47238          47238         47238        47.2k  0.08  
http_header (response trailer)    IPv4       6             1             3564           3564          3564         3.6k  0.01  
http_content_type (response)      IPv4       6             1             6962           6962          6962         7.0k  0.01  
http_raw_header (response)        IPv4       6           111             4639          15339          5122       568.7k  0.94  
http_cookie (response)            IPv4       6             1             3161           3161          3161         3.2k  0.01  
http_stat_code                    IPv4       6             1             4103           4103          4103         4.1k  0.01  
tls_cert_issuer                   IPv4       6             6             4645           7876          6165        37.0k  0.06  
tls_cert_subject                  IPv4       6             6             5434           9232          6697        40.2k  0.07  
tls_cert_serial                   IPv4       6             6             4118           5539          4953        29.7k  0.05  
file_data (http response)         IPv4       6           110             2582        1152339        143707        15.8m  26.14 
Total                             IPv4                  1922                                         31464        60.5m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            48             3371         102216         32460          1.6m  0.50  
PROF_DETECT_IPONLY          IPv4      17             2            41327          69088         55207        110.4k  0.04  
PROF_DETECT_RULES           IPv4       6          1813             2531        1931905         22538         40.9m  13.21 
PROF_DETECT_RULES           IPv4      17             2           176769         311832        244300        488.6k  0.16  
PROF_DETECT_STATEFUL_START    IPv4       6           114             5122         942387         71295          8.1m  2.63  
PROF_DETECT_STATEFUL_CONT    IPv4       6          1813             2510          68962          5938         10.8m  3.48  
PROF_DETECT_STATEFUL_CONT    IPv4      17             2             6493          62852         34672         69.3k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           738             2551          30321          2791          2.1m  0.67  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             3303           3601          3452          6.9k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          1813             7728       16946899         64154        116.3m  37.61 
PROF_DETECT_PREFILTER       IPv4      17             2            52545          74501         63523        127.0k  0.04  
PROF_DETECT_PF_PAYLOAD      IPv4       6           825            15529       16901465         81672         67.4m  21.79 
PROF_DETECT_PF_PAYLOAD      IPv4      17             2            34215          35010         34612         69.2k  0.02  
PROF_DETECT_PF_TX           IPv4       6           738             2579        1164902         26917         19.9m  6.42  
PROF_DETECT_PF_TX           IPv4      17             1            14935          14935         14935         14.9k  0.00  
PROF_DETECT_PF_SORT1        IPv4       6           547             2527          44990          2935          1.6m  0.52  
PROF_DETECT_PF_SORT1        IPv4      17             2             4002           4306          4154          8.3k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          1813             2516          32491          2857          5.2m  1.68  
PROF_DETECT_PF_SORT2        IPv4      17             2             3065           5057          4061          8.1k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          1813             2530          26223          2954          5.4m  1.73  
PROF_DETECT_NONMPMLIST      IPv4      17             2             3008           4247          3627          7.3k  0.00  
PROF_DETECT_ALERT           IPv4       6          1813             2525          65979          2788          5.1m  1.63  
PROF_DETECT_ALERT           IPv4      17             2             3294           5235          4264          8.5k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          1813             2580       13366267         10225         18.5m  5.99  
PROF_DETECT_CLEANUP         IPv4      17             2             4601           5194          4897          9.8k  0.00  
PROF_DETECT_GETSGH          IPv4       6          1813             2518          96124          3129          5.7m  1.83  
PROF_DETECT_GETSGH          IPv4      17             2             6130           6533          6331         12.7k  0.00  

lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9efc00338cf64e85a29958f0d139f03256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1257-2017-04-19-Dridex-malspam-traffic-example.pcap -vvv -k none
elapsedtime:20.987510
stderr:
stdout:
28/1/2019 -- 12:57:43 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 12:57:43 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 12:57:43 - <Info> - CPUs/cores online: 1
28/1/2019 -- 12:57:43 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31813 and 'request-body-inspect-window' set to 16171 after randomization.
28/1/2019 -- 12:57:43 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33315 and 'response-body-inspect-window' set to 16744 after randomization.
28/1/2019 -- 12:57:43 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 12:57:43 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 12:57:43 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 12:57:43 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 12:57:43 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 12:57:43 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 12:57:43 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 12:57:43 - <Config> - Core dump size is unlimited.
28/1/2019 -- 12:57:43 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 12:57:43 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 12:57:43 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 12:57:43 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 12:57:43 - <Config> - stream "memcap": 33554432
28/1/2019 -- 12:57:43 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 12:57:43 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 12:57:43 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 12:57:43 - <Config> - stream."inline": disabled
28/1/2019 -- 12:57:43 - <Config> - stream "bypass": disabled
28/1/2019 -- 12:57:43 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly "toserver-chunk-size": 2563
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly "toclient-chunk-size": 2633
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 12:57:43 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 12:57:43 - <Config> - Delayed detect disabled
28/1/2019 -- 12:57:43 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 12:57:43 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 12:57:43 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 12:57:43 - <Config> - prefilter engines: MPM
28/1/2019 -- 12:57:43 - <Config> - IP reputation disabled
28/1/2019 -- 12:57:43 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 12:57:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 12:57:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 12:57:43 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 12:57:48 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 12:57:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 12:57:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 12:57:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 12:57:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 12:57:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 12:57:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 12:57:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 12:57:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 12:57:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 12:57:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 12:57:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 12:57:55 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 12:57:55 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 12:57:55 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 12:57:55 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:57:56 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:57:56 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 12:57:56 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 12:57:56 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 12:57:56 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 12:57:56 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 12:57:56 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 12:57:56 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 12:57:56 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 12:58:00 - <Perf> - Unique rule groups: 104
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 12:58:00 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 12:58:00 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 12:58:02 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 12:58:02 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 12:58:02 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 12:58:02 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 12:58:02 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 12:58:02 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 12:58:02 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 12:58:02 - <Info> - reading pcap file /var/pcap/01282019.1257-2017-04-19-Dridex-malspam-traffic-example.pcap
28/1/2019 -- 12:58:02 - <Co

------------------------------------------------------------------------------------
Date: 1/28/2019 -- 12:58:04 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1800
decoder.bytes                              | Total                     | 1527065
decoder.ipv4                               | Total                     | 1800
decoder.ethernet                           | Total                     | 1800
decoder.tcp                                | Total                     | 1798
decoder.udp                                | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 848
decoder.max_pkt_size                       | Total                     | 3067
flow.tcp                                   | Total                     | 25
flow.udp                                   | Total                     | 1
tcp.sessions                               | Total                     | 25
tcp.syn                                    | Total                     | 49
tcp.synack                                 | Total                     | 13
tcp.rst                                    | Total                     | 17
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 2
detect.alert                               | Total                     | 8
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 1
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.tls                         | Total                     | 6
app_layer.flow.failed_tcp                  | Total                     | 6
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
flow_mgr.closed_pruned                     | Total                     | 1
flow_mgr.new_pruned                        | Total                     | 6
flow_mgr.est_pruned                        | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 26
flow_mgr.flows_notimeout                   | Total                     | 10
flow_mgr.flows_timeout                     | Total                     | 16
flow_mgr.flows_timeout_inuse               | Total                     | 8
flow_mgr.flows_removed                     | Total                     | 8
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65510
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7081792

{"timestamp":"2017-04-19T17:32:49.058851+0000","flow_id":1165558011782627,"pcap_cnt":1,"event_type":"dns","src_ip":"10.4.19.103","src_port":54570,"dest_ip":"10.4.19.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4539,"rrname":"jeanevermore.com","rrtype":"A","tx_id":0}}
{"timestamp":"2017-04-19T17:32:49.535943+0000","flow_id":1165558011782627,"pcap_cnt":2,"event_type":"dns","src_ip":"10.4.19.1","src_port":53,"dest_ip":"10.4.19.103","dest_port":54570,"proto":"UDP","dns":{"type":"answer","id":4539,"rcode":"NOERROR","rrname":"jeanevermore.com","rrtype":"A","ttl":5,"rdata":"216.117.150.240"}}
{"timestamp":"2017-04-19T17:32:50.355938+0000","flow_id":304051996671990,"pcap_cnt":11,"event_type":"alert","src_ip":"10.4.19.103","src_port":49181,"dest_ip":"216.117.150.240","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023583,"rev":4,"signature":"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2017-04-19T17:32:50.355938+0000","flow_id":304051996671990,"pcap_cnt":11,"event_type":"alert","src_ip":"10.4.19.103","src_port":49181,"dest_ip":"216.117.150.240","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024325,"rev":3,"signature":"ET TROJAN MalDoc Retrieving Payload May 23 2017 2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2017-04-19T17:32:52.090748+0000","flow_id":304051996671990,"pcap_cnt":185,"event_type":"http","src_ip":"10.4.19.103","src_port":49181,"dest_ip":"216.117.150.240","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"jeanevermore.com","url":"\/6gfd43","http_user_agent":"\"Mozilla\/5.2 (Windows NT 6.2; rv:50.2) Gecko\/20200103 Firefox\/50.2\"","http_content_type":"text\/plain"}}
{"timestamp":"2017-04-19T17:32:58.138611+0000","flow_id":1241347005156275,"pcap_cnt":193,"event_type":"tls","src_ip":"10.4.19.103","src_port":49182,"dest_ip":"216.177.132.93","dest_port":4143,"proto":"TCP","tls":{"subject":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb","issuerdn":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb"}}
{"timestamp":"2017-04-19T17:32:58.139670+0000","flow_id":1241347005156275,"pcap_cnt":195,"event_type":"alert","src_ip":"216.177.132.93","src_port":4143,"dest_ip":"10.4.19.103","dest_port":49182,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2017-04-19T17:33:02.035232+0000","flow_id":20932048258405,"pcap_cnt":214,"event_type":"tls","src_ip":"10.4.19.103","src_port":49184,"dest_ip":"216.177.132.93","dest_port":4143,"proto":"TCP","tls":{"subject":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb","issuerdn":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb"}}
{"timestamp":"2017-04-19T17:33:02.036225+0000","flow_id":20932048258405,"pcap_cnt":216,"event_type":"alert","src_ip":"216.177.132.93","src_port":4143,"dest_ip":"10.4.19.103","dest_port":49184,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2017-04-19T17:33:07.041401+0000","flow_id":304051996671990,"pcap_cnt":366,"event_type":"fileinfo","src_ip":"216.117.150.240","src_port":80,"dest_ip":"10.4.19.103","dest_port":49181,"proto":"TCP","http":{"hostname":"jeanevermore.com","url":"\/6gfd43","http_user_agent":"\"Mozilla\/5.2 (Windows NT 6.2; rv:50.2) Gecko\/20200103 Firefox\/50.2\"","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":151552},"app_proto":"http","fileinfo":{"filename":"\/6gfd43","gaps":false,"state":"CLOSED","stored":false,"size":151552,"tx_id":0}}
{"timestamp":"2017-04-19T17:33:14.728386+0000","flow_id":1395433253007590,"pcap_cnt":691,"event_type":"tls","src_ip":"10.4.19.103","src_port":49185,"dest_ip":"216.177.132.93","dest_port":4143,"proto":"TCP","tls":{"subject":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb","issuerdn":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb"}}
{"timestamp":"2017-04-19T17:33:14.729409+0000","flow_id":1395433253007590,"pcap_cnt":693,"event_type":"alert","src_ip":"216.177.132.93","src_port":4143,"dest_ip":"10.4.19.103","dest_port":49185,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2017-04-19T17:33:22.305989+0000","flow_id":1919097141027698,"pcap_cnt":708,"event_type":"tls","src_ip":"10.4.19.103","src_port":49186,"dest_ip":"216.177.132.93","dest_port":4143,"proto":"TCP","tls":{"subject":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb","issuerdn":"C=JO, L=Amman, O=Scaly SCS, CN=edencot-harcanv.ceb"}}
{"timestamp":"2017-04-19T17:33:22.307074+0000","flow_id":1919097141027698,"pcap_cnt":710,"event_type":"alert","src_ip":"216.177.132.93","src_port":4143,"dest_ip":"10.4.19.103","dest_port":49186,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2017-04-19T17:37:44.050975+0000","flow_id":1453814760866567,"pcap_cnt":753,"event_type":"tls","src_ip":"10.4.19.103","src_port":49192,"dest_ip":"203.206.230.127","dest_port":443,"proto":"TCP","tls":{"subject":"C=OM, L=Muscat, O=Lewes Ioter S.n.c., CN=wepli-ndtus.toshiba","issuerdn":"C=OM, L=Muscat, O=Lewes Ioter S.n.c., CN=wepli-ndtus.toshiba"}}
{"timestamp":"2017-04-19T17:37:44.059696+0000","flow_id":1453814760866567,"pcap_cnt":755,"event_type":"alert","src_ip":"203.206.230.127","src_port":443,"dest_ip":"10.4.19.103","dest_port":49192,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}
{"timestamp":"2017-04-19T17:38:28.564104+0000","flow_id":500190290253252,"pcap_cnt":1758,"event_type":"tls","src_ip":"10.4.19.103","src_port":49200,"dest_ip":"203.206.230.127","dest_port":443,"proto":"TCP","tls":{"subject":"C=OM, L=Muscat, O=Lewes Ioter S.n.c., CN=wepli-ndtus.toshiba","issuerdn":"C=OM, L=Muscat, O=Lewes Ioter S.n.c., CN=wepli-ndtus.toshiba"}}
{"timestamp":"2017-04-19T17:38:28.570718+0000","flow_id":500190290253252,"pcap_cnt":1760,"event_type":"alert","src_ip":"203.206.230.127","src_port":443,"dest_ip":"10.4.19.103","dest_port":49200,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2023476,"rev":5,"signature":"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)","category":"A Network Trojan was detected","severity":1},"app_proto":"tls"}

  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:58:04
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1173121         390             390             13951           3008.00         3008.00         0.00           
  content          9037089         930             424             499559          9717.00         6703.00         12242.00       
  pcre             726272          176             94              32510           4126.00         3766.00         4539.00        
  byte_test        264434          86              69              5529            3074.00         3049.00         3176.00        
  byte_jump        16178           5               0               3986            3235.00         0.00            3235.00        
  isdataat         2825            1               0               2825            2825.00         0.00            2825.00        
  flowbits         265531          93              5               6901            2855.00         3601.00         2812.00        
  urilen           53477           17              2               3596            3145.00         3067.00         3156.00        
  byte_extract     23823           8               8               4061            2977.00         2977.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1173121         390             390             13951           3008.00         3008.00         0.00           
  flowbits         258630          92              4               4326            2811.00         2777.00         2812.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2246459         582             351             62290           3859.00         4337.00         3134.00        
  pcre             615154          162             90              32510           3797.00         3589.00         4056.00        
  byte_test        264434          86              69              5529            3074.00         3049.00         3176.00        
  byte_jump        16178           5               0               3986            3235.00         0.00            3235.00        
  isdataat         2825            1               0               2825            2825.00         0.00            2825.00        
  byte_extract     23823           8               8               4061            2977.00         2977.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         6901            1               1               6901            6901.00         6901.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20634           6               2               3925            3439.00         3672.00         3322.00        
  pcre             14860           3               2               5179            4953.00         5140.00         4579.00        
  urilen           53477           17              2               3596            3145.00         3067.00         3156.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3483            1               0               3483            3483.00         0.00            3483.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6477653         270             16              499559          23991.00        67756.00        21234.00       
  pcre             14130           2               0               9966            7065.00         0.00            7065.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          185592          44              37              5603            4218.00         4244.00         4079.00        
  pcre             72246           7               2               19900           10320.00        10335.00        10315.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42804           11              7               4983            3891.00         4121.00         3487.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10665           3               2               4309            3555.00         3861.00         2943.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          43362           11              7               4803            3942.00         4058.00         3738.00        
  pcre             9882            2               0               5106            4941.00         0.00            4941.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6437            2               2               3411            3218.00         3218.00         0.00           

4
X÷ŸBnbàŸ


gØu–ðÀP
0
X÷ŸBX÷ŸBnb

E
-"
gØu–ðÀPPæ\GET /6gfd43 HTTP/1.1
Accept: */*
Accept-Language: en-US
User-Agent: "Mozilla/5.2 (Windows NT 6.2; rv:50.2) Gecko/20200103 Firefox/50.2"
Accept-Encoding: gzip, deflate
Host: jeanevermore.com
Connection: Keep-Alive

4X÷ŸBnbã…


gØu–ðÀP
0X÷ŸBX÷ŸBnb

E
-"
gØu–ðÀPPæ\GET /6gfd43 HTTP/1.1
Accept: */*
Accept-Language: en-US
User-Agent: "Mozilla/5.2 (Windows NT 6.2; rv:50.2) Gecko/20200103 Firefox/50.2"
Accept-Encoding: gzip, deflate
Host: jeanevermore.com
Connection: Keep-Alive

4X÷ŸJ!–à4

ر„]
g/À5X÷ŸJX÷ŸJ!–
E<tر„]
g/ÀPÝö
QM
X÷ŸI
7ð*6d_VJ]Ê;î˜åÞ¥´ˆ0Ú±6—Y §m8 /lŠm7\J$ð5ÈË3"‡‚a‰å£ñ`Þ(++©5ÿ


{xu0‚q0‚Y 
	ɦ1Üèðª0
	*†H†÷


0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0
170419081505Z
171018081505Z0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0‚
"0
	*†H†÷



‚
0‚

‚

Ì©¨D'о”qNϙò!QÄ̾5Àã„VVÍâ0ë˜i³£‹_Êa±´×yoè°Åv†åj¡ŸyÓe焤1p¯é4ðÒ&b{Rb—FñÛlﬦöª ÐÖ׆d[Ù
>³Ô>¯˜0b–þZ©üªt.»JÇ6Á‡ÜÈ`È£,¶Æ$é*½!U æ,rÙÂ@ÊÇ(mÕЦÊΓÂâvU²qý*ô0W/všÀin'¯3\õ“—3þ¡|rsê[†ÍïՈ
ÔÌ §©‚–˜PY{Þ¸¹Ý¼mó=•ô Þ9I?ê¢\÷QÃ+;ª°¥Þ¸fuCdåŠtm'

£P0N0Uÿïá6–ƒöÔñ-5Ô1ÑÀfé0U#0€ÿïá6–ƒöÔñ-5Ô1ÑÀfé0U0

ÿ0
	*†H†÷


‚

³Å“xAnòžŠ²h¸!uá)ñ_5ÅiÉ6©É˜ç`f·ìEaZ”ÅçN1ˆõû¯Ã$ÿ	e»¹Æ€¾^€Ó;KÙaLzVD<³j©×ÿُ»ç]Ì+ŠÖ±[!½ÉÂù94{ၵS¢%‘ˆÄ嗟9Ùz
”UŒÛþ}»z¶Ø¡xéýEÖ^	áðÓjÈ €ÞÈP^›z@÷–üZ™I¦Kз {í…v„;KpȄeÁ—¶€BGÖd}Þáãô™C±Ôd3a/¬HŸ%­Æ3nžû)V6²d‹ëu&‡	L֊DdéÑôKèœåª[¡þ¢
4X÷ŸNà4

ر„]
g/À 5X÷ŸNX÷ŸN
E<tر„]
g/À Pž

QM
X÷ŸMp‰¥	‰í÷¦„š7™~¡ªÍËQ­ý¬ •EÈ '¿°S„¶ßµYóƒO¢#‰Ó¾ßVdÑLÍGA'ä-–5ÿ


{xu0‚q0‚Y 
	ɦ1Üèðª0
	*†H†÷


0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0
170419081505Z
171018081505Z0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0‚
"0
	*†H†÷



‚
0‚

‚

Ì©¨D'о”qNϙò!QÄ̾5Àã„VVÍâ0ë˜i³£‹_Êa±´×yoè°Åv†åj¡ŸyÓe焤1p¯é4ðÒ&b{Rb—FñÛlﬦöª ÐÖ׆d[Ù
>³Ô>¯˜0b–þZ©üªt.»JÇ6Á‡ÜÈ`È£,¶Æ$é*½!U æ,rÙÂ@ÊÇ(mÕЦÊΓÂâvU²qý*ô0W/všÀin'¯3\õ“—3þ¡|rsê[†ÍïՈ
ÔÌ §©‚–˜PY{Þ¸¹Ý¼mó=•ô Þ9I?ê¢\÷QÃ+;ª°¥Þ¸fuCdåŠtm'

£P0N0Uÿïá6–ƒöÔñ-5Ô1ÑÀfé0U#0€ÿïá6–ƒöÔñ-5Ô1ÑÀfé0U0

ÿ0
	*†H†÷


‚

³Å“xAnòžŠ²h¸!uá)ñ_5ÅiÉ6©É˜ç`f·ìEaZ”ÅçN1ˆõû¯Ã$ÿ	e»¹Æ€¾^€Ó;KÙaLzVD<³j©×ÿُ»ç]Ì+ŠÖ±[!½ÉÂù94{ၵS¢%‘ˆÄ嗟9Ùz
”UŒÛþ}»z¶Ø¡xéýEÖ^	áðÓjÈ €ÞÈP^›z@÷–üZ™I¦Kз {í…v„;KpȄeÁ—¶€BGÖd}Þáãô™C±Ôd3a/¬HŸ%­Æ3nžû)V6²d‹ëu&‡	L֊DdéÑôKèœåª[¡þ¢
4X÷ŸZ!Aà4

ر„]
g/À!5X÷ŸZX÷ŸZ!A
E<tر„]
g/À!P$
QM
X÷ŸZן”•&á‰Êj§Ýy¾ñºé€^€â%V ˆõ¡Òõôvqù¼Eç^Zö+¡Ë'í"Ù"2õ5ÿ


{xu0‚q0‚Y 
	ɦ1Üèðª0
	*†H†÷


0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0
170419081505Z
171018081505Z0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0‚
"0
	*†H†÷



‚
0‚

‚

Ì©¨D'о”qNϙò!QÄ̾5Àã„VVÍâ0ë˜i³£‹_Êa±´×yoè°Åv†åj¡ŸyÓe焤1p¯é4ðÒ&b{Rb—FñÛlﬦöª ÐÖ׆d[Ù
>³Ô>¯˜0b–þZ©üªt.»JÇ6Á‡ÜÈ`È£,¶Æ$é*½!U æ,rÙÂ@ÊÇ(mÕЦÊΓÂâvU²qý*ô0W/všÀin'¯3\õ“—3þ¡|rsê[†ÍïՈ
ÔÌ §©‚–˜PY{Þ¸¹Ý¼mó=•ô Þ9I?ê¢\÷QÃ+;ª°¥Þ¸fuCdåŠtm'

£P0N0Uÿïá6–ƒöÔñ-5Ô1ÑÀfé0U#0€ÿïá6–ƒöÔñ-5Ô1ÑÀfé0U0

ÿ0
	*†H†÷


‚

³Å“xAnòžŠ²h¸!uá)ñ_5ÅiÉ6©É˜ç`f·ìEaZ”ÅçN1ˆõû¯Ã$ÿ	e»¹Æ€¾^€Ó;KÙaLzVD<³j©×ÿُ»ç]Ì+ŠÖ±[!½ÉÂù94{ၵS¢%‘ˆÄ嗟9Ùz
”UŒÛþ}»z¶Ø¡xéýEÖ^	áðÓjÈ €ÞÈP^›z@÷–üZ™I¦Kз {í…v„;KpȄeÁ—¶€BGÖd}Þáãô™C±Ôd3a/¬HŸ%­Æ3nžû)V6²d‹ëu&‡	L֊DdéÑôKèœåª[¡þ¢
4X÷Ÿb¯‚à4

ر„]
g/À"5X÷ŸbX÷Ÿb¯‚
E<tر„]
g/À"P
QM
X÷ŸbÓ
ä,ÀŠ9øZs=íSXk‘)ñ…8\ ;^Ø>Eï¥ñõ¹É‰[>K5Š8ðÑßñD˜ŸÅdÑ5ÿ


{xu0‚q0‚Y 
	ɦ1Üèðª0
	*†H†÷


0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0
170419081505Z
171018081505Z0O10	UJO10UAmman10U
	Scaly SCS10Uedencot-harcanv.ceb0‚
"0
	*†H†÷



‚
0‚

‚

Ì©¨D'о”qNϙò!QÄ̾5Àã„VVÍâ0ë˜i³£‹_Êa±´×yoè°Åv†åj¡ŸyÓe焤1p¯é4ðÒ&b{Rb—FñÛlﬦöª ÐÖ׆d[Ù
>³Ô>¯˜0b–þZ©üªt.»JÇ6Á‡ÜÈ`È£,¶Æ$é*½!U æ,rÙÂ@ÊÇ(mÕЦÊΓÂâvU²qý*ô0W/všÀin'¯3\õ“—3þ¡|rsê[†ÍïՈ
ÔÌ §©‚–˜PY{Þ¸¹Ý¼mó=•ô Þ9I?ê¢\÷QÃ+;ª°¥Þ¸fuCdåŠtm'

£P0N0Uÿïá6–ƒöÔñ-5Ô1ÑÀfé0U#0€ÿïá6–ƒöÔñ-5Ô1ÑÀfé0U0

ÿ0
	*†H†÷


‚

³Å“xAnòžŠ²h¸!uá)ñ_5ÅiÉ6©É˜ç`f·ìEaZ”ÅçN1ˆõû¯Ã$ÿ	e»¹Æ€¾^€Ó;KÙaLzVD<³j©×ÿُ»ç]Ì+ŠÖ±[!½ÉÂù94{ၵS¢%‘ˆÄ嗟9Ùz
”UŒÛþ}»z¶Ø¡xéýEÖ^	áðÓjÈ €ÞÈP^›z@÷–üZ™I¦Kз {í…v„;KpȄeÁ—¶€BGÖd}Þáãô™C±Ôd3a/¬HŸ%­Æ3nžû)V6²d‹ëu&‡	L֊DdéÑôKèœåª[¡þ¢
4X÷ hé0à4

ËÎæ
g
»À(£X÷ hX÷ hé0
‡EyåÆËÎæ
g
»À(P;·YUX÷ fB8“× Ö[¥(˜qµ)ñ>qðå|ô«¡Çp ì9½¤¿a§?ès[ˆTV€·±oÙiS¹j‚Po2T0À(
ÿ


“Œ‰0‚…0‚m 
	æòÂüÛI—0
	*†H†÷


0Y10	UOM10
UMuscat10U
Lewes Ioter S.n.c.10Uwepli-ndtus.toshiba0
170417084351Z
171016084351Z0Y10	UOM10
UMuscat10U
Lewes Ioter S.n.c.10Uwepli-ndtus.toshiba0‚
"0
	*†H†÷



‚
0‚

‚

ÅWž–:YC`Q‹väÞHSoôºÄpÃþI3}qP
¶tœÝ
AÓxdð·YþÜ9´¨Y¥’û1÷Äoˆ/øN«lê­œë
´>€÷è@q(v2Àn÷Š]¹ÂyÝÇÁ:ábBÃž
u.S´s¹63nê4G¯áhÙêÜo¿.o©9´$+'ñÁ(šAßPÜ\‰jNUzv¿8`¿2YJø¿Ü|š,^Ì¡ß#¬Å8¹çޗQw¢×0ͦ'SñM&üíÑn^OŠ2=Cñ	Ç©&´a‡ü6cö‚¤e´Ã}
BW)„øëŸR¶*	6ïÿ¥KƒúY5Ë-ç

£P0N0U'”~»ØzQãÃiŒP>“œ¬õÎ0U#0€'”~»ØzQãÃiŒP>“œ¬õÎ0U0

ÿ0
	*†H†÷


‚

¸‚ôÑ¥Ö“D¸†Çä“ÍpRÆ«	tÒÅ,¡ïÛò‰±§ÇÝ)Ëìþüy±7µo}¢fh~‘‡Û©}Æþƒ½˜“Ä
<tmŽÁÊÚd}--’¼Í™ˆÌåjw_æ‘wõ³ëDªQ‚ú%\›–—2ò1AÇ`PJ/ºl‘!4°s¤Ì7ÎÁËP¥qzÿ)ˆÙGÕ\_V‡ê1ªf-X‘so¶Û©@zŒáÃùÕoýä‹p³çOžf2HÕÒMôǓ×åùL<r
Ž•Ùüñ—}Euði€K—§,ѯÉýWz'ÎݒÞnÒóXÀÊuV0
tsk‡0¡t
M
IAlzü·pö&íô6œ‚è<}\‰°ccԖˆŽ!tië™XT
³1R›®’ÿÆAþÊ<›¹0\Âvšõh

œgÁû%õ‰ãþÛ¿:g]F$O^[ñU{i7Ïúu«¶É¨Bð÷–‘yvõ©Ã-²ìÙ§âE…Ðøò–òDèxgÿ¡Ð
ƒ>šSøÊ܊‘Ÿßu·´žœe¢²¹'Á@¯!?Qléúxð؋‚p$`õJÉܒÆQWÁ7@ú>2#ZJÔì[EkŠèÝÊÅÝåV)5//£„Œ(V	0“¾ç×8.ʔßL›¥—p£ÀžÄ;0 (šO9Ô֘R£n͌!·}‡ÁT¸/¯¨ÂúÓ½t°ÔOÁY¬ø¸ÀïïΰRÍ	؆À6*ãú¤Ù¾í
#PU°4X÷ ”µ^à4

ËÎæ
g
»À0£X÷ ”X÷ ”µ^
‡EyåÆËÎæ
g
»À0P~qYUX÷ “ô8Œ<"s×ËÕy­5·[…€àe¼z%¯• }ÐàœýíÊrEplä瓳ËAº`ÔP¼Î•5Y¼À(
ÿ


“Œ‰0‚…0‚m 
	æòÂüÛI—0
	*†H†÷


0Y10	UOM10
UMuscat10U
Lewes Ioter S.n.c.10Uwepli-ndtus.toshiba0
170417084351Z
171016084351Z0Y10	UOM10
UMuscat10U
Lewes Ioter S.n.c.10Uwepli-ndtus.toshiba0‚
"0
	*†H†÷



‚
0‚

‚

ÅWž–:YC`Q‹väÞHSoôºÄpÃþI3}qP
¶tœÝ
AÓxdð·YþÜ9´¨Y¥’û1÷Äoˆ/øN«lê­œë
´>€÷è@q(v2Àn÷Š]¹ÂyÝÇÁ:ábBÃž
u.S´s¹63nê4G¯áhÙêÜo¿.o©9´$+'ñÁ(šAßPÜ\‰jNUzv¿8`¿2YJø¿Ü|š,^Ì¡ß#¬Å8¹çޗQw¢×0ͦ'SñM&üíÑn^OŠ2=Cñ	Ç©&´a‡ü6cö‚¤e´Ã}
BW)„øëŸR¶*	6ïÿ¥KƒúY5Ë-ç

£P0N0U'”~»ØzQãÃiŒP>“œ¬õÎ0U#0€'”~»ØzQãÃiŒP>“œ¬õÎ0U0

ÿ0
	*†H†÷


‚

¸‚ôÑ¥Ö“D¸†Çä“ÍpRÆ«	tÒÅ,¡ïÛò‰±§ÇÝ)Ëìþüy±7µo}¢fh~‘‡Û©}Æþƒ½˜“Ä
<tmŽÁÊÚd}--’¼Í™ˆÌåjw_æ‘wõ³ëDªQ‚ú%\›–—2ò1AÇ`PJ/ºl‘!4°s¤Ì7ÎÁËP¥qzÿ)ˆÙGÕ\_V‡ê1ªf-X‘so¶Û©@zŒáÃùÕoýä‹p³çOžf2HÕÒMôǓ×åùL<r
Ž•Ùüñ—}Euði€K—§,ѯÉýWz'ÎݒÞnÒóXÀÊuV0
tsk‡0¡t
M
IAP5°HÔ&»ˆˆ"Ëõ0ò­æþø›ªFnÍ'¤£þ›f|Ó£™–A\/FR~c4ÙúÇvU¡P?.6ŠæÚ

dʘ=…ûà:Þ e÷}ķĪ2"²ÿô´ó:+÷ˆ
×Q.‘ðSzU0H˜_ÈýÜ:•։½²¿Gâ®]
¢9Á¦Ã%³%­K
Bw¯«Ï¸ƒª×Y­žÚ,!Œþë:nñˆlý}ï_>®
/uÒJ~ÄŸ´ðŸl´ÚyV{ã7áˆñò
D:f]^0;
ùÌÊOWàz²#ÇLúWù6ó„œ;s9c†h¾´[j䖉%é´j™áyåÖ€ƒmV43¥ššõjÿÏ5Ś×0Ê*fý[<Š/iécÑ;.?{ñƒl ¯#
߸T¹¿xOg_õ
ÏÂVqœ”

04/19/2017-17:32:50.355938  [**] [1:2023583:4] ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.4.19.103:49181 -> 216.117.150.240:80
04/19/2017-17:32:50.355938  [**] [1:2024325:3] ET TROJAN MalDoc Retrieving Payload May 23 2017 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.4.19.103:49181 -> 216.117.150.240:80
04/19/2017-17:32:58.139670  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 216.177.132.93:4143 -> 10.4.19.103:49182
04/19/2017-17:33:02.036225  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 216.177.132.93:4143 -> 10.4.19.103:49184
04/19/2017-17:33:14.729409  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 216.177.132.93:4143 -> 10.4.19.103:49185
04/19/2017-17:33:22.307074  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 216.177.132.93:4143 -> 10.4.19.103:49186
04/19/2017-17:37:44.059696  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 203.206.230.127:443 -> 10.4.19.103:49192
04/19/2017-17:38:28.570718  [**] [1:2023476:5] ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 203.206.230.127:443 -> 10.4.19.103:49200

2019-01-28 12:57:42,551 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 12:57:43,278 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 12:57:43,279 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-28 12:57:43,279 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 12:57:43,279 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 12:57:43,280 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/9efc00338cf64e85a29958f0d139f03256b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1257-2017-04-19-Dridex-malspam-traffic-example.pcap -vvv -k none
2019-01-28 12:58:04,268 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 12:58:04,269 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.7298691273