Filename: 2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.69226884842 seconds
Hash: a1ae87e6471a7e77b84e88703e877f2a
Uploaded: 1548332088

Logfiles


unified2.alert.1548332095 - (77112 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
4Z|–°ÎÑýwo1
ePÀ"ŠZ|–Z|–°Î"nE"`Ÿäwo1
ePÀP’0{ Œÿo÷²:1È&~ï
ɯI
Ù ¯KèNextü Iÿ!_QÁ!-ÿOq<?¡O¿ec3¡ÑE(s)P dyüouÀp}—¢à@U².ÿÏm£
s0?±¥&ÿ™ÿ°ïñ_aQaaÿaOß`£‹Ab wß`Qbõ…´.ÿ'Ÿ`–`þ'T__a³“"3pLY«ÿ›³W^ŽÎÂ'Ï]Ò' grabx pa ¦àcõKdbPñ= GetFileÑ("Q™Às.txt"PX]¿òbalread€y exist°('ƖìVåaLBQÌ(DâB Ko UÖA
A7(IaFð(I).1	name, {‘‘HT°<{H? ž Ü!¦H¯ï 0ßÁÆ  /Á' màodify†# ÏåÁW±¿DB°
ÿñÿ1V€%aŸ–Ô!–"¯¦¥*²ÂÏÆMó
éBy4AÿþÄOnðNow¯¦A@ƒ73µ
 .Groups = sGrpœBanMe ssageVbanmsgZEnd` With:/' commit modifica tions+Call WriteDatabase(dbPath)/' log ac4If (BotVars.L ogDBAƒ) ðThen+°P(ModEntry, IIf(IBn*, "c€pole", Username), @DB(I)., _35TypBeRank…FðlagsƒñÔHÁkIfÓS' we have fo"u@{the
sp„ecued u:ƒS	= TruÔ‰Ó
ExForO‘4Next IË
AK' did6fi5a matc@hing ep €or not?ËƒÁ‰Å/Falseˆ‹	Ák' redeÀe arrayp sizÐ;A€v0G‚ÀÛvbNullStr€#™ ReDÀim Pre[€g{ÂO"Eà¯aïUBA<(DB) +ü 1PHe-
€ZGß4Pf^ Á_s.Á[ ‚Iàh(gAccp>= 0€g˜ef,ÿ tÂe€b‚ày9âYBy eu|On`NowÔAddäedÿ	 .œ	၏ 
‚$`£Â<> H†Aà[ˆ"%")[(db	, "US˜ER"Õ8_É .ßÈàPaJ_ÈV  'MÀsgBox ãÀO,ý/'ÎBŸÍ#¡±ÿšÌÁ|Ì!ŽËBŸËÿ†Ëx8_f›ÓàC9# ÿL6g™4ÂgY_hDÏ%Däb?  K`heck0hr errors & create mϓŠ!¶@ >À@Ï|²tmpbufP4¤DB>ToƒW(ÁV,€&)À"@ps been giÊvPrx "ßH?‚Ö‹	±Pvas¾ °u¢sá7ufC~8tooliáLeön£R)¯c3@‘ets@oke surepdon'táß	A' improper g@rammarÀc¢a~ of o€¥þ!¯¡Å	A§o	8óö„& €“²ÂR_¿Qïn¸ Ï"ì aðQÿgO©‚¯*óó  ¿±¯À$õ¯s_ _ïãRûÖ¯-r¯-¨-ç¿-öûŸ¦ ßÐp­§;œassignФðto a&<%ߺFÓWï!±'ñ!hcÀ9òmad Gmb€0€/@ø  "…gQ×(s):,߯׿"u_t‘¡JÿJ_
oJåq_
âòbÌZ_ï\ter(miná[s·en.cܱ° `å àFioždk"„B."'Ý—"ug_ChaÀnnel.Cea^¤>‰CQ¼turn+fcmdRet(L0)@c#
±F$unrã '@Äd ’fåOn {
rU€€€		0‰±Ù	a
4	a)	ÿÿÿÿÿÿÿÿÿÿÿÿ`IÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿµW—ÿÿÿÿÿÿÿÿÿÿÿÿ4HrU€€€	ÿÿÿÿÿÿÿÿ@(`øÿÿÿÿÿÿÿÿÿÿÿÿÿÿ&$A`ñÿÿÿÿÿÿÿÿD`õÿÿÿÿÿÿÿÿÿÿ¡ÁÙñÿÿÿÿ/p#nàä„ ôÍG«ÿÿˆ¶ÿÿÿÿÿÿÿÿhÿÿÃfy¾xá†Dˆm’€„6c⟝ÓfΌCµpxîøZV˹5Õ&B›õãÖäühé·&—Àâ³;Cµge|/sÐÿÿÿÿÿÿÿÿÿÿÿÿx·&—Àâ³;Cµge|/sÐÃfy¾xá†Dˆm’€„6cÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿPSPÿÿÿÿSÿÿÿÿSÿÿÿÿSÿÿÿÿ6"ÿÿÿÿ<ÿÿ<ÿÿ<ÿÿÿÿÿÿš0{D39D9FE2-CE66-438C-B508-7078EEF8035A}{B9CB0456-D535-4226-9BF5-E3D6E4FC68E9}ÿÿÿÿЀþÿ0ÿÿ(ÿÿÿÿÿÿÿÿÿÿ%þÿÿÿÿÿÿÿÿÿXÿÿ0ÿÿÿÿÿÿÿÿ%ÿÿÿÿƒþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ%‚ ¼ÿÿÿÿþÿÿÿÀÿÿþÿÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿÿÿ˜hl¼¼ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ`«ÊQ\$*\Rffff*0>5c51cb0bß#4!8"<&@(DHL$P%T'Xÿÿÿÿ\ `þÊÿÿÿÿÿÿÿÿxÿÿÿÿà°Attribute VB_Name = "pel"e"

øBas|0{D39D9FE2-CE66-438C-B508-7078EEF8035A}{B9CB0456-D535-4226-9BF5-E3D6E4€FC68E9}
d@GlobalŠSpacoFalseŠCreatablPredeHclaIdÓTru
BExpose0TemplateDeriv–Customiz‹D,äZh8ÍGwwÿÿ€¶ÿÿÿÿÿÿÿÿ<ÿÿò.¤ò"Ö5I¸‹ék–*=ûüú h§8+3qµhÎ\ 0C¤`$Íù(ÿÿÿÿÿÿÿÿÿÿÿÿxhÎ\ 0C¤`$Íù(ò.¤ò"Ö5I¸‹ék–ÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(SÿÿÿÿSÿÿÿÿS”ÿÿÿÿ6"ÿÿÿÿÿÿGET2
ÿÿÿÿÿÿÿÿ!Module2
ÿÿÿÿÞ;REG1
ÿÿÿÿYModule1ÿÿÿÿÿÿÿÿÿÿÿÿ²(N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}ÿÿÿÿÀ@`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ”Ä€`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿ		”Òà`ÿÿÿÿÿÿÿÿÿÿÿÿÀÿÿ$ÿÿ¼iƒþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ä@`ÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿ(ÿÿ”Yƒæÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€ˆì `ÿÿÿÿÿÿÿÿÿÿÿÿ€ÿÿÿÿ,ÿÿ”Yƒæÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€ôÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿàÿÿÿÿ0ÿÿ”Yƒæÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€€þÿÿÿÿÿÿÿ(ÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿÿÿÿÿ@ÿÿÿÿ@ÿÿÿÿ€à ƒþÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿX@4ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0«ÊQ\$*\Rffff*0?5c51cb0bßÿÿÿÿ4þÊO€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ" "(0
HX€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿB`€	ÿÿÿÿ€	ÿÿÿÿ:h¨€	ÿÿÿÿ¸ÀÈ؀	ÿÿÿÿ€	ÿÿÿÿ"à€	ÿÿÿÿèø (€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"08H`h€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"p€	ÿÿÿÿx€	ÿÿÿÿˆ˜¨€	ÿÿÿÿ°¸À€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿÿÿÿÿЖ¶Outline Level 7'ÂoÿÿX–@ ̬ Æ%È(Ê ÎB@Ðoÿÿ –€ Ö ¼!Ø!Ú¶t ܬ¬$ú Þ àA@Ô.ÿÿÿÿ *¬
œÿÿÿÿzÿÿ@kÿÿ8¶5¬A@âiÿÿ –à è êœÿÿ  æA@ìødÿÿð  æ¬A@îkÿÿØoÿÿЖ@ è êœ ò æ ðB@Ðkÿÿ˜oÿÿ–  ö øœ è êœ  æA@ìdÿÿPkÿÿHkÿÿ@oÿÿ8ÿÿÿÿ0ÿÿÿÿ¾²Attribute VB_Name = "GET2"

ØBasl0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}
|GlobalÀSpac’FalseÈCreatablPredeclaId©CExposeTemplate Deriv%Cu@stomizE

Sub doc_of_word_outline_level7 ()
 VI(SHU¥O L	 7€‹End "
$!Selection.Paragraph`s(1).„((=( wd	7?coñse.t°7_NPublic Fun VualaA/CallBy‚ƒMolex, p#Á.Label2.Cap& + "t"@Mid(AQWSXZ_System, 3, 1), VbMethod, ÄPokerF
IfFurryBlade > 0 Then" Ex$it)
3If
FindNext "5", :6FÄ2CWErrorMessaÐge(s$„hCBAÁ€"(bLOG„On@mcOn)Ä ƒÅÁWriteÀ ÒE³ÉMsgðBox D€*EÿÅ2ÁƒÃ-C.…Rä*	€ n€+File€Handle,Æ"?ƒ‰"ÖÅéAVInfo*AâSho‚wâ0sOnly‚+üff±+Gf€ù1áÿ{2!ï2¡«
… !aŸ"`ôä"0HÍGE°ÿÿ€¶ÿÿÿÿÿÿÿÿ<ÿÿµýhÀ.{}O“W•â۔*=ûüú h§8+3qµÄÐÕÅÇÕO¹Eî”îÜøÿÿÿÿÿÿÿÿÿÿÿÿxÄÐÕÅÇÕO¹Eî”îÜøµýhÀ.{}O“W•â۔ÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(SÿÿÿÿSÿÿÿÿS”ÿÿÿÿ6"ÿÿÿÿÿÿ.$â þ¬!
œÿÿdÿÿ¶RDBMS¬ $B@( *  ÞA@Ôí°.$kÿÿÐ|ÿÿÈ > ,%.!0 > ,%.!2 4 > ,%.(0ÿ pþ¬ > ,%.!0’ 
 > ,%.!6'
 > ,%.UÞZ|–Z|–°ÎUÂEU´lwo1
ePÀP[¢!0¬ > ,%.(0ÿÇ > ,%.!8 > ,%.!: 4 > ,%.(8ÿ pþ¬ > ,%.!8’  > ,%.!<' > ,%.!8¬ > ,%.(8ÿÇX 
 > ,%.!>'ÿÿ  > ,%.!@' ¬œÿÿÿ þ > ,%.!>¬ 
’ÿÿ¬ >  > ,%.!@ B%D'pÿÿÿÿ p¬œ > ,%.!6¬ > ,%.(6 ¬'
ÿÿyÿÿXkÿÿPÿÇHkÿÿ@ ¬œÿ þ > ,%.!>¬ 
¬•¬ >  > ,%.!@ B%D'p p¬œ > ,%.!6¬ > ,%.(6 ¬'
yÿÿxkÿÿpÿÇhkÿÿ` ¬œÿ þ > ,%.!@¬ ’¬ > 
  B%D'p p¬œ > ,%.!<¬ > ,%.(< ¬'yÿÿ°kÿÿ¨ÿÇ kÿÿ˜ ¬œÿ þ > ,%.!@¬ ¬•¬ > 
  B%D'p p¬œ > ,%.!<¬ > ,%.(< ¬'yÿÿàkÿÿØÿÇÐkÿÿÈ 
 > ,%.(>  > ,%.(@¬ > 
  B%D'p 
' '  F'F  H'  J!¤(L J!¤!L¬
 J!¤(N ¬
 > ,%.!P¬ J!¤(Ü J!¤!ܬ
 J!¤(R ¬	›G J!¤!Ü  J!¤(ÜF¬'j ¬	›G J!¤!L  J!¤(LF¬'j  T¬

›G J!¤!R  T¬
 J!¤(RF T¬
  T¬
'jP  V¬

›G J!¤!N  V¬
 J!¤(NF V¬
  V¬
'j%   \  ^ ` XB@Z foroÿÿ0ð|Ô°ÿÿÿÿ«ƒ,ÍG‡cÿÿ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(<ÿÿ&6
ÿÿÿÿ<ÿÿ<ÿÿÿÿÿÿÿÿÿÿ@ü¸`ÿÿÿÿÿÿÿÿÿÿÿÿ@ÿÿÿÿÿÿÿÿjj„iƒþÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ$ú`„ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ@`„ÿÿÿÿÿÿÿÿÿÿâ`„pÿÿÿÿÿÿÿÿÿÿ ê`„
ÿÿÿÿÿÿÿÿÿÿø`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ „$ÿÿÿÿÿÿÿÿ°%b`ÿÿÿÿÿÿÿÿÿÿÿÿøÿÿÿÿÿÿ::Œiƒdÿÿÿÿÿÿÿÿÿÿ€ 4iƒÿÿÿÿÿÿÿÿÿÿ8€pþiƒfÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€ >`„ÿÿÿÿÿÿÿÿÿÿ`„ÿÿÿÿÿÿÿÿÿÿ`„lÿÿÿÿÿÿÿÿÿÿ`„nÿÿÿÿÿÿÿÿÿÿ%.`„pÿÿÿÿÿÿÿÿÿÿ >`„rÿÿÿÿÿÿÿÿÿÿ`„tÿÿÿÿÿÿÿÿÿÿþ@„>ÿÿÿÿÿÿÿÿÿÿˆX`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„+âØ`ÿÿÿÿÿÿÿÿÿÿÿÿ˜ÿÿÿÿÿÿŒiƒ ÿÿÿÿÿÿÿÿÿÿ¸€Hiƒ¢ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€þª`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ\\„ÿÿÿÿ`ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„`„ÿÿÿÿÿÿÿÿÿÿ „ÿÿÿÿÿÿÿÿ xˆ`„ÿÿÿÿÿÿÿÿÿÿ ,ÀØÿÿÿÿXÿÿÿÿ¸ÿÿÿÿÿÿÿÿƒúÿÿÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ%ÿÿÿÿÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
à«ÊQ\$*\Rffff*0@5c51cb0bßþÊE€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"€€ € 8€Xhpx°€À
ȁ؀	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿè€	ÿÿÿÿð (0€	ÿÿÿÿ@8 x˜*¸è€	ÿÿÿÿ@ð 0P*p €	ÿÿÿÿ€	ÿÿÿÿ¨È€	ÿÿÿÿ€	ÿÿÿÿè&ø, P,` ¨°¸€	ÿÿÿÿÀ,Ё,0,@p€ˆ˜€	ÿÿÿÿ &°؁ø,8HPX`€	ÿÿÿÿh,x¨ȁ,؁ (0€	ÿÿÿÿ8Phˆ ˜€	ÿÿÿÿ¸È2è €	ÿÿÿÿ<@<€nÀn0€	ÿÿÿÿ$ È€	ÿÿÿÿ€	ÿÿÿÿBЁ؁à€ð€	(	0	8	P	h	€	˜	¨	¸	È	Ø	à	è	ø	

€	ÿÿÿÿ€
€	ÿÿÿÿ€ 
€	ÿÿÿÿ(

H
X
"p
˜
€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ
 
°
€¸
À
È
€	ÿÿÿÿÐ
€	ÿÿÿÿØ
è
ð
ø
€	ÿÿÿÿ (08X€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"`€	ÿÿÿÿ€	ÿÿÿÿh€	ÿÿÿÿxˆ€	ÿÿÿÿ˜€	ÿÿÿÿ°€	ÿÿÿÿÈ€	ÿÿÿÿèø(€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿB0€	ÿÿÿÿ€	ÿÿÿÿ,8€	ÿÿÿÿ€	ÿÿÿÿ€	h€	ÿÿÿÿ*€°€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ"¸€	ÿÿÿÿÀÈØ€	ÿÿÿÿè
(
H
h
ˆ
"¨
"Ð
ø
(8€	ÿÿÿÿH$X€ˆ ¸ÀÈàø$$@hˆ¨ÀØèø(@(X€ˆ€	ÿÿÿÿ€˜€	ÿÿÿÿ€	ÿÿÿÿ €	ÿÿÿÿ¨ÀØð€	ÿÿÿÿ8H€	ÿÿÿÿh€.¨,؁blpà*è*"H$p˜$¸à<@€HPX€	ÿÿÿÿ€`h.p ¨À€

This file has been truncated. Go here to download in full.


suricata-report-2019-01-24-T-12-14-58-01242019.1214-2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap.txt - (18149 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/a1ae87e6471a7e77b84e88703e877f2ad2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1214-2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap -vvv -k none
elapsedtime:8.784265
stderr:
stdout:
24/1/2019 -- 12:14:49 - <Info> - Configuration node 'rule-files' redefined.
24/1/2019 -- 12:14:49 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/1/2019 -- 12:14:49 - <Info> - CPUs/cores online: 1
24/1/2019 -- 12:14:49 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32794 and 'request-body-inspect-window' set to 17201 after randomization.
24/1/2019 -- 12:14:49 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31627 and 'response-body-inspect-window' set to 17110 after randomization.
24/1/2019 -- 12:14:49 - <Config> - DNS request flood protection level: 500
24/1/2019 -- 12:14:49 - <Config> - DNS per flow memcap (state-memcap): 524288
24/1/2019 -- 12:14:49 - <Config> - DNS global memcap: 16777216
24/1/2019 -- 12:14:49 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/1/2019 -- 12:14:49 - <Config> - preallocated 1000 hosts of size 136
24/1/2019 -- 12:14:49 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/1/2019 -- 12:14:49 - <Config> - using magic-file /usr/share/file/magic
24/1/2019 -- 12:14:49 - <Config> - Core dump size is unlimited.
24/1/2019 -- 12:14:49 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/1/2019 -- 12:14:49 - <Config> - preallocated 1000 defrag trackers of size 168
24/1/2019 -- 12:14:49 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/1/2019 -- 12:14:49 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/1/2019 -- 12:14:49 - <Config> - stream "memcap": 33554432
24/1/2019 -- 12:14:49 - <Config> - stream "midstream" session pickups: disabled
24/1/2019 -- 12:14:49 - <Config> - stream "async-oneside": disabled
24/1/2019 -- 12:14:49 - <Config> - stream "checksum-validation": disabled
24/1/2019 -- 12:14:49 - <Config> - stream."inline": disabled
24/1/2019 -- 12:14:49 - <Config> - stream "bypass": disabled
24/1/2019 -- 12:14:49 - <Config> - stream "max-synack-queued": 5
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly "memcap": 134217728
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly "depth": 0
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly "toserver-chunk-size": 2645
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly "toclient-chunk-size": 2617
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly.raw: enabled
24/1/2019 -- 12:14:49 - <Config> - stream.reassembly "segment-prealloc": 2048
24/1/2019 -- 12:14:49 - <Config> - Delayed detect disabled
24/1/2019 -- 12:14:49 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/1/2019 -- 12:14:49 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/1/2019 -- 12:14:49 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/1/2019 -- 12:14:49 - <Config> - prefilter engines: MPM
24/1/2019 -- 12:14:49 - <Config> - IP reputation disabled
24/1/2019 -- 12:14:49 - <Perf> - Registered 148 keyword profiling counters.
24/1/2019 -- 12:14:49 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
24/1/2019 -- 12:14:49 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
24/1/2019 -- 12:14:49 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
24/1/2019 -- 12:14:50 - <Config> - No rules loaded from ET-emerging-icmp.rules.
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
24/1/2019 -- 12:14:50 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
24/1/2019 -- 12:14:51 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
24/1/2019 -- 12:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
24/1/2019 -- 12:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
24/1/2019 -- 12:14:54 - <Config> - No rules loaded from local.rules.
24/1/2019 -- 12:14:54 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
24/1/2019 -- 12:14:54 - <Info> - Threshold config parsed: 0 rule(s) found
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tcp-packet
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tcp-stream
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for udp-packet
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for other-ip
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_uri
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_client_body
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_header
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_header_names
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_accept
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_accept_enc
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_accept_lang
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_referer
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_connection
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_content_len
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_content_type
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_protocol
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_start
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_raw_header
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_method
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_cookie
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_raw_uri
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_user_agent
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_host
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_raw_host
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_stat_msg
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_stat_code
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for dns_query
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tls_sni
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for dce_stub_data
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for ssh_protocol
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for ssh_software
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for file_data
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_request_line
24/1/2019 -- 12:14:54 - <Perf> - using shared mpm ctx' for http_response_line
24/1/2019 -- 12:14:54 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
24/1/2019 -- 12:14:54 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/1/2019 -- 12:14:54 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
24/1/2019 -- 12:14:54 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
24/1/2019 -- 12:14:54 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
24/1/2019 -- 12:14:54 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
24/1/2019 -- 12:14:54 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
24/1/2019 -- 12:14:54 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/1/2019 -- 12:14:55 - <Perf> - Unique rule groups: 111
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toserver TCP packet": 31
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toclient TCP packet": 20
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toserver TCP stream": 31
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toclient TCP stream": 21
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toserver UDP packet": 33
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "toclient UDP packet": 15
24/1/2019 -- 12:14:55 - <Perf> - Builtin MPM "other IP packet": 2
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_uri": 8
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_header": 6
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_header": 3
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_header_names": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_start": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_method": 3
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver http_host": 2
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver tls_sni": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toserver file_data": 1
24/1/2019 -- 12:14:55 - <Perf> - AppLayer MPM "toclient file_data": 5
24/1/2019 -- 12:14:55 - <Perf> - Registered 18241 rule profiling counters.
24/1/2019 -- 12:14:55 - <Info> - fast output device (regular) initialized: alert
24/1/2019 -- 12:14:55 - <Info> - eve-log output device (regular) initialized: eve.json
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'alert'
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'http'
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'dns'
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'tls'
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'files'
24/1/2019 -- 12:14:55 - <Config> - enabling 'eve-log' module 'ssh'
24/1/2019 -- 12:14:55 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB

This file has been truncated. Go here to download in full.


packet_stats.log - (12789 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1069           139949      320463209     181966413        194.5b   99.50
 IPv4      17            10         14958930      169782497      97118391        971.2m    0.50
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1069            66695        9925399        333698        356.7m   90.94
TMM_FLOWWORKER              IPv4      17            10           380429        9987661       1887557         18.9m    4.81
TMM_RECEIVEPCAPFILE         IPv4       6          1062             2538         144269          3578          3.8m    0.97
TMM_RECEIVEPCAPFILE         IPv4      17            10             2571          10088          3688         36.9k    0.01
TMM_DECODEPCAPFILE          IPv4       6          1062             2658        9625058         12012         12.8m    3.25
TMM_DECODEPCAPFILE          IPv4      17            10             2785          26457          5537         55.4k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1062             2840          31178          3473          3.7m  1.09  
flow                    IPv4      17            10             3122          14286          5235         52.4k  0.02  
stream                  IPv4       6          1069             2745         516530         13422         14.3m  4.23  
app-layer               IPv4      17            10            11738          36718         19729        197.3k  0.06  
detect                  IPv4       6          1069            44727        9879004        289061        309.0m  91.20 
detect                  IPv4      17            10           297179        4959019        825138          8.3m  2.44  
tcp-prune               IPv4       6          1069             2559          54842          3081          3.3m  0.97  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            61             3102          51606         11955        729.3k  88.62 
tls                     IPv4       6             4             2643           7152          4127         16.5k  2.01  
dns                     IPv4      17            10             5075          11502          7710         77.1k  9.37  
Proto detect            IPv4      17            10             4560          15929          8724         87.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            31            33518         143279         51411          1.6m  7.98  
LOGGER_UNIFIED2             IPv4       6            31            31404         359555         49952          1.5m  7.76  
LOGGER_JSON_ALERT           IPv4       6            31            56455         168255         94118          2.9m  14.61 
LOGGER_JSON_DNS             IPv4      17            10            31432        9437453       1019708         10.2m  51.07 
LOGGER_JSON_HTTP            IPv4       6            58            31168         146168         57886          3.4m  16.81 
LOGGER_JSON_TLS             IPv4       6             2            38009          56739         47374         94.7k  0.47  
LOGGER_JSON_FILE            IPv4       6             2            97055         161307        129181        258.4k  1.29  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           480             2577         317519         16704         8.0m  15.16 
payload                           IPv4      17            10            16288          54975         36971       369.7k  0.70  
stream                            IPv4       6           480             2549        4982551         32775        15.7m  29.74 
http_uri                          IPv4       6            58             7158          36256         11144       646.4k  1.22  
http_request_line                 IPv4       6            58             3511          33622          5114       296.7k  0.56  
http_client_body                  IPv4       6            58             2807           4768          3015       174.9k  0.33  
http_header (request)             IPv4       6            58             4218          74801          8780       509.3k  0.96  
http_header (request trailer)     IPv4       6            58             2584          17851          2977       172.7k  0.33  
http_header_names (request)       IPv4       6            58             3501          58510          6490       376.5k  0.71  
http_accept (request)             IPv4       6            58             2792          18975          3413       198.0k  0.37  
http_referer (request)            IPv4       6            58             2704           3784          2907       168.6k  0.32  
http_content_len (request)        IPv4       6            58             2724           4905          2916       169.1k  0.32  
http_content_type (request)       IPv4       6            58             2657          30511          3386       196.4k  0.37  
http_start (request)              IPv4       6            58             4170          34270          5484       318.1k  0.60  
http_raw_header (request)         IPv4       6            58             5774          11455          6510       377.6k  0.71  
http_method                       IPv4       6            58             2924          18522          3548       205.8k  0.39  
http_cookie (request)             IPv4       6            58             2669           4133          2894       167.9k  0.32  
http_raw_uri                      IPv4       6            58             3342          22723          4509       261.5k  0.49  
http_user_agent                   IPv4       6            58             2702          27094          3623       210.2k  0.40  
http_host                         IPv4       6            58             3391          33708          5017       291.0k  0.55  
dns_query                         IPv4      17             5             7613          14470          9996        50.0k  0.09  
tls_sni                           IPv4       6             3             3785           7658          6071        18.2k  0.03  
http_response_line                IPv4       6            58             3085          20312          5365       311.2k  0.59  
http_header (response)            IPv4       6            58             5893          66164         15434       895.2k  1.69  
http_header (response trailer)    IPv4       6            58             3207           5227          4401       255.3k  0.48  
http_content_type (response)      IPv4       6            58             3334           8423          4181       242.5k  0.46  
http_raw_header (response)        IPv4       6           283             4010          24836          5206         1.5m  2.79  
http_cookie (response)            IPv4       6            58             2875          34517          3675       213.2k  0.40  
http_stat_code                    IPv4       6            58             2713          60479          4545       263.7k  0.50  
tls_cert_issuer                   IPv4       6             2             8313           9210          8761        17.5k  0.03  
tls_cert_subject                  IPv4       6             2             6612           8850          7731        15.5k  0.03  
tls_cert_serial                   IPv4       6             2             4286           5421          4853         9.7k  0.02  
file_data (http response)         IPv4       6           283             2571         954814         71628        20.3m  38.32 
Total                             IPv4                  2884                                         18341        52.9m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           120             4603          62604         17189          2.1m  0.50  
PROF_DETECT_IPONLY          IPv4      17            10            18966        4624702        491088          4.9m  1.20  
PROF_DETECT_RULES           IPv4       6          1069             2540        9547077        154842        165.5m  40.49 
PROF_DETECT_RULES           IPv4      17            10           139527         308161        194597          1.9m  0.48  
PROF_DETECT_STATEFUL_START    IPv4       6           446             5118        1078131        130103         58.0m  14.19 
PROF_DETECT_STATEFUL_CONT    IPv4       6          1069             2529          51035          7316          7.8m  1.91  
PROF_DETECT_STATEFUL_CONT    IPv4      17            10             3911          30437          7332         73.3k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           829             2555          33449          2812          2.3m  0.57  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            10             2645           4288          3025         30.3k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          1069             7833        5332411         75695         80.9m  19.79 
PROF_DETECT_PREFILTER       IPv4      17            10            54776          95336         76712        767.1k  0.19  
PROF_DETECT_PF_PAYLOAD      IPv4       6           480            13345        5009325         57898         27.8m  6.80  
PROF_DETECT_PF_PAYLOAD      IPv4      17            10            21652          61176         42464        424.6k  0.10  
PROF_DETECT_PF_TX           IPv4       6           829             2553         969561         44487         36.9m  9.02  
PROF_DETECT_PF_TX           IPv4      17             5            13451          22154         16402         82.0k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6           388             2553          40201          4151          1.6m  0.39  
PROF_DETECT_PF_SORT1        IPv4      17            10             2918           8005          4720         47.2k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          1069             2523          58574          3070          3.3m  0.80  
PROF_DETECT_PF_SORT2        IPv4      17            10             3191          27812          8273         82.7k  0.02  
PROF_DETECT_NONMPMLIST      IPv4       6          1069             2534          43643          3146          3.4m  0.82  
PROF_DETECT_NONMPMLIST      IPv4      17            10             2807           3949          3343         33.4k  0.01  
PROF_DETECT_ALERT           IPv4       6          1069             2527          60602          3573          3.8m  0.93  
PROF_DETECT_ALERT           IPv4      17            10             2540           9731          3695         37.0k  0.01  
PROF_DETECT_CLEANUP         IPv4       6          1069             2557          34414          3008          3.2m  0.79  
PROF_DETECT_CLEANUP         IPv4      17            10             2925           4676          3636         36.4k  0.01  
PROF_DETECT_GETSGH          IPv4       6          1069             2525          53908          3377          3.6m  0.88  
PROF_DETECT_GETSGH          IPv4      17            10             5437           7373          5928         59.3k  0.01  


stats.log - (3225 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 1/24/2019 -- 12:14:58 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1072
decoder.bytes                              | Total                     | 531029
decoder.ipv4                               | Total                     | 1072
decoder.ethernet                           | Total                     | 1072
decoder.tcp                                | Total                     | 1062
decoder.udp                                | Total                     | 10
decoder.avg_pkt_size                       | Total                     | 495
decoder.max_pkt_size                       | Total                     | 27794
flow.tcp                                   | Total                     | 60
flow.udp                                   | Total                     | 5
tcp.sessions                               | Total                     | 60
tcp.syn                                    | Total                     | 60
tcp.synack                                 | Total                     | 60
tcp.rst                                    | Total                     | 4
detect.alert                               | Total                     | 59
detect.mpm_list                            | Total                     | 5
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 6
app_layer.flow.http                        | Total                     | 58
app_layer.tx.http                          | Total                     | 58
app_layer.flow.tls                         | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 5
app_layer.tx.dns_udp                       | Total                     | 5
flow_mgr.closed_pruned                     | Total                     | 51
flow_mgr.est_pruned                        | Total                     | 5
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 65
flow_mgr.flows_notimeout                   | Total                     | 6
flow_mgr.flows_timeout                     | Total                     | 59
flow_mgr.flows_timeout_inuse               | Total                     | 3
flow_mgr.flows_removed                     | Total                     | 56
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65472
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7093024


eve.json - (55706 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{"timestamp":"2018-02-08T18:24:42.832532+0000","flow_id":940978310132756,"pcap_cnt":1,"event_type":"dns","src_ip":"10.2.8.101","src_port":51444,"dest_ip":"10.2.8.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15013,"rrname":"drive.google.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-08T18:24:42.890014+0000","flow_id":940978310132756,"pcap_cnt":2,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":51444,"proto":"UDP","dns":{"type":"answer","id":15013,"rcode":"NOERROR","rrname":"drive.google.com","rrtype":"A","ttl":5,"rdata":"216.58.194.46"}}
{"timestamp":"2018-02-08T18:24:42.890014+0000","flow_id":940978310132756,"pcap_cnt":2,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":51444,"proto":"UDP","dns":{"type":"answer","id":15013,"rcode":"NOERROR","rrname":"google.com","rrtype":"NS","ttl":5,"rdata":"ns3.google.com"}}
{"timestamp":"2018-02-08T18:24:42.890014+0000","flow_id":940978310132756,"pcap_cnt":2,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":51444,"proto":"UDP","dns":{"type":"answer","id":15013,"rcode":"NOERROR","rrname":"google.com","rrtype":"NS","ttl":5,"rdata":"ns4.google.com"}}
{"timestamp":"2018-02-08T18:24:42.890014+0000","flow_id":940978310132756,"pcap_cnt":2,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":51444,"proto":"UDP","dns":{"type":"answer","id":15013,"rcode":"NOERROR","rrname":"google.com","rrtype":"NS","ttl":5,"rdata":"ns1.google.com"}}
{"timestamp":"2018-02-08T18:24:42.890014+0000","flow_id":940978310132756,"pcap_cnt":2,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":51444,"proto":"UDP","dns":{"type":"answer","id":15013,"rcode":"NOERROR","rrname":"google.com","rrtype":"NS","ttl":5,"rdata":"ns2.google.com"}}
{"timestamp":"2018-02-08T18:24:43.079891+0000","flow_id":340756630518385,"pcap_cnt":12,"event_type":"tls","src_ip":"10.2.8.101","src_port":49166,"dest_ip":"216.58.194.46","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","issuerdn":"C=US, O=Google Inc, CN=Google Internet Authority G2"}}
{"timestamp":"2018-02-08T18:24:43.327858+0000","flow_id":933178649542834,"pcap_cnt":17,"event_type":"dns","src_ip":"10.2.8.101","src_port":62003,"dest_ip":"10.2.8.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40093,"rrname":"doc-10-9s-docs.googleusercontent.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"doc-10-9s-docs.googleusercontent.com","rrtype":"CNAME","ttl":5,"rdata":"googlehosted.l.googleusercontent.com"}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"googlehosted.l.googleusercontent.com","rrtype":"A","ttl":5,"rdata":"172.217.6.129"}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"googleusercontent.com","rrtype":"NS","ttl":5,"rdata":"ns1.google.com"}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"googleusercontent.com","rrtype":"NS","ttl":5,"rdata":"ns4.google.com"}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"googleusercontent.com","rrtype":"NS","ttl":5,"rdata":"ns3.google.com"}}
{"timestamp":"2018-02-08T18:24:43.420018+0000","flow_id":933178649542834,"pcap_cnt":18,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":62003,"proto":"UDP","dns":{"type":"answer","id":40093,"rcode":"NOERROR","rrname":"googleusercontent.com","rrtype":"NS","ttl":5,"rdata":"ns2.google.com"}}
{"timestamp":"2018-02-08T18:24:43.613736+0000","flow_id":1065751405096067,"pcap_cnt":27,"event_type":"tls","src_ip":"10.2.8.101","src_port":49169,"dest_ip":"172.217.6.129","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.googleusercontent.com","issuerdn":"C=US, O=Google Inc, CN=Google Internet Authority G2"}}
{"timestamp":"2018-02-08T18:25:11.438478+0000","flow_id":1338490419742164,"pcap_cnt":187,"event_type":"alert","src_ip":"119.28.111.49","src_port":80,"dest_ip":"10.2.8.101","dest_port":49171,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-02-08T18:25:11.440763+0000","flow_id":1338490419742164,"pcap_cnt":194,"event_type":"http","src_ip":"10.2.8.101","src_port":49171,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"hinenreb.com","url":"\/docs\/08.02.2018.doc","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-02-08T18:26:06.716128+0000","flow_id":877649022872928,"pcap_cnt":197,"event_type":"dns","src_ip":"10.2.8.101","src_port":54166,"dest_ip":"10.2.8.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1662,"rrname":"pertalted.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-08T18:26:07.088562+0000","flow_id":877649022872928,"pcap_cnt":198,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":54166,"proto":"UDP","dns":{"type":"answer","id":1662,"rcode":"NOERROR","rrname":"pertalted.com","rrtype":"A","ttl":5,"rdata":"119.28.111.49"}}
{"timestamp":"2018-02-08T18:26:07.088562+0000","flow_id":877649022872928,"pcap_cnt":198,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":54166,"proto":"UDP","dns":{"type":"answer","id":1662,"rcode":"NOERROR","rrname":"pertalted.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-02-08T18:26:07.088562+0000","flow_id":877649022872928,"pcap_cnt":198,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":54166,"proto":"UDP","dns":{"type":"answer","id":1662,"rcode":"NOERROR","rrname":"pertalted.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-02-08T18:26:07.088562+0000","flow_id":877649022872928,"pcap_cnt":198,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":54166,"proto":"UDP","dns":{"type":"answer","id":1662,"rcode":"NOERROR","rrname":"pertalted.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-02-08T18:26:09.230096+0000","flow_id":1746215964211524,"pcap_cnt":238,"event_type":"alert","src_ip":"119.28.111.49","src_port":80,"dest_ip":"10.2.8.101","dest_port":49184,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-02-08T18:26:10.511625+0000","flow_id":1746215964211524,"pcap_cnt":408,"event_type":"alert","src_ip":"119.28.111.49","src_port":80,"dest_ip":"10.2.8.101","dest_port":49184,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3},"app_proto":"http"}
{"timestamp":"2018-02-08T18:26:10.516023+0000","flow_id":1746215964211524,"pcap_cnt":457,"event_type":"http","src_ip":"10.2.8.101","src_port":49184,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"pertalted.com","url":"\/p66\/yutg5","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-02-08T18:27:15.487019+0000","flow_id":1746215964211524,"pcap_cnt":458,"event_type":"fileinfo","src_ip":"119.28.111.49","src_port":80,"dest_ip":"10.2.8.101","dest_port":49184,"proto":"TCP","http":{"hostname":"pertalted.com","url":"\/p66\/yutg5","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":231688},"app_proto":"http","fileinfo":{"filename":"\/p66\/yutg5","gaps":false,"state":"CLOSED","stored":false,"size":231688,"tx_id":0}}
{"timestamp":"2018-02-08T18:30:12.380199+0000","flow_id":1327800266312999,"pcap_cnt":462,"event_type":"dns","src_ip":"10.2.8.101","src_port":61086,"dest_ip":"10.2.8.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35765,"rrname":"myothow.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-08T18:30:12.694173+0000","flow_id":1327800266312999,"pcap_cnt":463,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":61086,"proto":"UDP","dns":{"type":"answer","id":35765,"rcode":"NOERROR","rrname":"myothow.com","rrtype":"A","ttl":5,"rdata":"119.28.111.49"}}
{"timestamp":"2018-02-08T18:30:12.694173+0000","flow_id":1327800266312999,"pcap_cnt":463,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":61086,"proto":"UDP","dns":{"type":"answer","id":35765,"rcode":"NOERROR","rrname":"myothow.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:12.694173+0000","flow_id":1327800266312999,"pcap_cnt":463,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":61086,"proto":"UDP","dns":{"type":"answer","id":35765,"rcode":"NOERROR","rrname":"myothow.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:12.694173+0000","flow_id":1327800266312999,"pcap_cnt":463,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":61086,"proto":"UDP","dns":{"type":"answer","id":35765,"rcode":"NOERROR","rrname":"myothow.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:13.625655+0000","flow_id":1388827456612822,"pcap_cnt":470,"event_type":"alert","src_ip":"10.2.8.101","src_port":49185,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023203,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-02-08T18:30:13.625655+0000","flow_id":1388827456612822,"pcap_cnt":470,"event_type":"alert","src_ip":"10.2.8.101","src_port":49185,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024452,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-02-08T18:30:13.625655+0000","flow_id":1388827456612822,"pcap_cnt":470,"event_type":"http","src_ip":"10.2.8.101","src_port":49185,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"myothow.com","url":"\/q2\/index.php?id=85847835&c=1&mk=75490e&il=H&vr=1.61&bt=64","http_content_type":"text\/html"}}
{"timestamp":"2018-02-08T18:30:13.629213+0000","flow_id":178011751422429,"pcap_cnt":471,"event_type":"dns","src_ip":"10.2.8.101","src_port":57713,"dest_ip":"10.2.8.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15189,"rrname":"fortresmuch.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-02-08T18:30:13.944190+0000","flow_id":178011751422429,"pcap_cnt":472,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":57713,"proto":"UDP","dns":{"type":"answer","id":15189,"rcode":"NOERROR","rrname":"fortresmuch.com","rrtype":"A","ttl":5,"rdata":"119.28.111.49"}}
{"timestamp":"2018-02-08T18:30:13.944190+0000","flow_id":178011751422429,"pcap_cnt":472,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":57713,"proto":"UDP","dns":{"type":"answer","id":15189,"rcode":"NOERROR","rrname":"fortresmuch.com","rrtype":"NS","ttl":5,"rdata":"b.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:13.944190+0000","flow_id":178011751422429,"pcap_cnt":472,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":57713,"proto":"UDP","dns":{"type":"answer","id":15189,"rcode":"NOERROR","rrname":"fortresmuch.com","rrtype":"NS","ttl":5,"rdata":"a.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:13.944190+0000","flow_id":178011751422429,"pcap_cnt":472,"event_type":"dns","src_ip":"10.2.8.1","src_port":53,"dest_ip":"10.2.8.101","dest_port":57713,"proto":"UDP","dns":{"type":"answer","id":15189,"rcode":"NOERROR","rrname":"fortresmuch.com","rrtype":"NS","ttl":5,"rdata":"c.dnspod.com"}}
{"timestamp":"2018-02-08T18:30:14.910739+0000","flow_id":1479537165953919,"pcap_cnt":479,"event_type":"http","src_ip":"10.2.8.101","src_port":49186,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"fortresmuch.com","url":"\/q2\/index.php?id=85847835&c=1&mk=75490e&il=H&vr=1.61&bt=64","http_content_type":"text\/html"}}
{"timestamp":"2018-02-08T18:31:15.906408+0000","flow_id":743401250231314,"pcap_cnt":490,"event_type":"alert","src_ip":"10.2.8.101","src_port":49187,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023203,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-02-08T18:31:15.906408+0000","flow_id":743401250231314,"pcap_cnt":490,"event_type":"alert","src_ip":"10.2.8.101","src_port":49187,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024452,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-02-08T18:31:15.906408+0000","flow_id":743401250231314,"pcap_cnt":490,"event_type":"http","src_ip":"10.2.8.101","src_port":49187,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"myothow.com","url":"\/q2\/index.php?id=85847835&c=2&mk=75490e&il=H&vr=1.61&bt=64","http_content_type":"text\/html"}}
{"timestamp":"2018-02-08T18:31:16.856756+0000","flow_id":1183188721590329,"pcap_cnt":501,"event_type":"http","src_ip":"10.2.8.101","src_port":49188,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"fortresmuch.com","url":"\/q2\/index.php?id=85847835&c=2&mk=75490e&il=H&vr=1.61&bt=64","http_content_type":"text\/html"}}
{"timestamp":"2018-02-08T18:32:17.899271+0000","flow_id":41771101855473,"pcap_cnt":512,"event_type":"alert","src_ip":"10.2.8.101","src_port":49189,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023203,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-02-08T18:32:17.899271+0000","flow_id":41771101855473,"pcap_cnt":512,"event_type":"alert","src_ip":"10.2.8.101","src_port":49189,"dest_ip":"119.28.111.49","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024452,"rev":3,"signature":"ET TROJAN Quant Loader Download Request","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-02-08T18:32:17.899271+0000","flow_id":41771101855473,"pcap_cnt":512,"event_type":"http","src_ip":"10.2.8.101","src_port":49189,"dest_ip":"119.28.111.49","dest_port":8

This file has been truncated. Go here to download in full.


keyword_perf.log - (12883 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/24/2019 -- 12:14:58
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             19108570        4078            4078            6783675         4685.00         4685.00         0.00           
  threshold        442989          112             56              23040           3955.00         4121.00         3789.00        
  content          20481984        5169            3494            426171          3962.00         3591.00         4736.00        
  pcre             5251485         1343            1               41435           3910.00         8373.00         3906.00        
  byte_test        144764          45              20              5562            3216.00         3658.00         2863.00        
  byte_jump        43895           14              9               4618            3135.00         3019.00         3343.00        
  isdataat         17436           6               1               3439            2906.00         2621.00         2963.00        
  flowbits         1577571         530             82              19914           2976.00         3693.00         2845.00        
  urilen           2513145         787             450             60826           3193.00         3381.00         2942.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             19108570        4078            4078            6783675         4685.00         4685.00         0.00           
  flowbits         1335953         470             22              18135           2842.00         2785.00         2845.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2249949         518             233             62396           4343.00         3832.00         4761.00        
  pcre             366970          100             0               29314           3669.00         0.00            3669.00        
  byte_test        144764          45              20              5562            3216.00         3658.00         2863.00        
  byte_jump        26193           8               3               4618            3274.00         3158.00         3343.00        
  isdataat         17436           6               1               3439            2906.00         2621.00         2963.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         241618          60              60              19914           4026.00         4026.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        442989          112             56              23040           3955.00         4121.00         3789.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11413424        3537            2635            80428           3226.00         3167.00         3399.00        
  pcre             4829199         1238            0               41435           3900.00         0.00            3900.00        
  urilen           2513145         787             450             60826           3193.00         3381.00         2942.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          184979          58              0               21123           3189.00         0.00            3189.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4078805         237             42              426171          17210.00        35554.00        13259.00       
  pcre             23270           2               0               20388           11635.00        0.00            11635.00       
  byte_jump        17702           6               6               3597            2950.00         2950.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1249333         411             403             19668           3039.00         3022.00         3923.00        
  pcre             18137           2               1               9764            9068.00         8373.00         9764.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27597           7               7               4640            3942.00         3942.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4728            1               0               4728            4728.00         0.00            4728.00        
  pcre             13909           1               0               13909           13909.00        0.00            13909.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1246850         393             168             49849           3172.00         3259.00         3108.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12325           3               3               4204            4108.00         4108.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4205            1               0               4205            4205.00         0.00            4205.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9789            3               3               3437            3263.00         3263.00         0.00           


suricata-4.0.0-etopen-all-alert-2019-01-24-T-12-14-58-01242019.1214-2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap.txt - (11681 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
02/08/2018-18:25:11.438478  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 119.28.111.49:80 -> 10.2.8.101:49171
02/08/2018-18:26:09.230096  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 119.28.111.49:80 -> 10.2.8.101:49184
02/08/2018-18:26:10.511625  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 119.28.111.49:80 -> 10.2.8.101:49184
02/08/2018-18:30:13.625655  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49185 -> 119.28.111.49:80
02/08/2018-18:30:13.625655  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49185 -> 119.28.111.49:80
02/08/2018-18:31:15.906408  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49187 -> 119.28.111.49:80
02/08/2018-18:31:15.906408  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49187 -> 119.28.111.49:80
02/08/2018-18:32:17.899271  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49189 -> 119.28.111.49:80
02/08/2018-18:32:17.899271  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49189 -> 119.28.111.49:80
02/08/2018-18:33:19.749067  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49191 -> 119.28.111.49:80
02/08/2018-18:33:19.749067  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49191 -> 119.28.111.49:80
02/08/2018-18:34:21.844931  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49193 -> 119.28.111.49:80
02/08/2018-18:34:21.844931  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49193 -> 119.28.111.49:80
02/08/2018-18:35:24.523448  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49195 -> 119.28.111.49:80
02/08/2018-18:35:24.523448  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49195 -> 119.28.111.49:80
02/08/2018-18:36:27.167695  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49197 -> 119.28.111.49:80
02/08/2018-18:36:27.167695  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49197 -> 119.28.111.49:80
02/08/2018-18:37:29.630984  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49199 -> 119.28.111.49:80
02/08/2018-18:37:29.630984  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49199 -> 119.28.111.49:80
02/08/2018-18:38:32.504525  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49201 -> 119.28.111.49:80
02/08/2018-18:38:32.504525  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49201 -> 119.28.111.49:80
02/08/2018-18:39:35.175097  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49203 -> 119.28.111.49:80
02/08/2018-18:39:35.175097  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49203 -> 119.28.111.49:80
02/08/2018-18:40:38.046603  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49205 -> 119.28.111.49:80
02/08/2018-18:40:38.046603  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49205 -> 119.28.111.49:80
02/08/2018-18:41:41.331333  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49207 -> 119.28.111.49:80
02/08/2018-18:41:41.331333  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49207 -> 119.28.111.49:80
02/08/2018-18:42:44.215529  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49209 -> 119.28.111.49:80
02/08/2018-18:42:44.215529  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49209 -> 119.28.111.49:80
02/08/2018-18:43:46.883654  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49211 -> 119.28.111.49:80
02/08/2018-18:43:46.883654  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49211 -> 119.28.111.49:80
02/08/2018-18:44:49.781408  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49213 -> 119.28.111.49:80
02/08/2018-18:44:49.781408  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49213 -> 119.28.111.49:80
02/08/2018-18:45:52.937351  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49215 -> 119.28.111.49:80
02/08/2018-18:45:52.937351  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49215 -> 119.28.111.49:80
02/08/2018-18:46:55.813346  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49217 -> 119.28.111.49:80
02/08/2018-18:46:55.813346  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49217 -> 119.28.111.49:80
02/08/2018-18:48:19.941814  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49220 -> 119.28.111.49:80
02/08/2018-18:48:19.941814  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49220 -> 119.28.111.49:80
02/08/2018-18:49:22.757526  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49222 -> 119.28.111.49:80
02/08/2018-18:49:22.757526  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49222 -> 119.28.111.49:80
02/08/2018-18:50:25.426036  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49224 -> 119.28.111.49:80
02/08/2018-18:50:25.426036  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49224 -> 119.28.111.49:80
02/08/2018-18:51:28.094585  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49226 -> 119.28.111.49:80
02/08/2018-18:51:28.094585  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49226 -> 119.28.111.49:80
02/08/2018-18:52:31.172523  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49228 -> 119.28.111.49:80
02/08/2018-18:52:31.172523  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49228 -> 119.28.111.49:80
02/08/2018-18:53:35.072964  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49230 -> 119.28.111.49:80
02/08/2018-18:53:35.072964  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49230 -> 119.28.111.49:80
02/08/2018-18:54:37.825265  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49232 -> 119.28.111.49:80
02/08/2018-18:54:37.825265  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49232 -> 119.28.111.49:80
02/08/2018-18:55:40.816727  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49234 -> 119.28.111.49:80
02/08/2018-18:55:40.816727  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49234 -> 119.28.111.49:80
02/08/2018-18:56:43.689847  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49236 -> 119.28.111.49:80
02/08/2018-18:56:43.689847  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49236 -> 119.28.111.49:80
02/08/2018-18:57:46.948955  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49238 -> 119.28.111.49:80
02/08/2018-18:57:46.948955  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49238 -> 119.28.111.49:80
02/08/2018-18:58:50.152977  [**] [1:2023203:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49240 -> 119.28.111.49:80
02/08/2018-18:58:50.152977  [**] [1:2024452:3] ET TROJAN Quant Loader Download Request [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.2.8.101:49240 -> 119.28.111.49:80


suricata-4.0.0-etopen-all-perf.txt-2019-01-24-T-12-14-58-01242019.1214-2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap.txt - (35286 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/24/2019 -- 12:14:58. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2017552      1        6        14679589     10.07  323      0        9468073     45447.64    0.00        45447.64   
  2        2001195      1        9        9393601      6.45   2        0        9382015     4696800.50  0.00        4696800.50 
  3        2016537      1        2        13825985     9.49   321      56       6798654     43071.60    58951.02    39715.95   
  4        2020865      1        3        2859559      1.96   16       0        575198      178722.44   0.00        178722.44  
  5        2018342      1        2        306820       0.21   1        0        306820      306820.00   0.00        306820.00  
  6        2021749      1        6        389744       0.27   7        0        225208      55677.71    0.00        55677.71   
  7        2016855      1        2        193583       0.13   1        0        193583      193583.00   0.00        193583.00  
  8        2018789      1        3        344732       0.24   8        0        178236      43091.50    0.00        43091.50   
  9        2019715      1        2        257824       0.18   2        0        172803      128912.00   0.00        128912.00  
  10       2024769      1        2        168824       0.12   1        0        168824      168824.00   0.00        168824.00  
  11       2012520      1        7        168759       0.12   1        1        168759      168759.00   168759.00   0.00       
  12       2016854      1        3        166186       0.11   1        0        166186      166186.00   0.00        166186.00  
  13       2019707      1        2        498305       0.34   7        0        123110      71186.43    0.00        71186.43   
  14       2023203      1        3        3017949      2.07   56       56       108508      53891.95    53891.95    0.00       
  15       2019837      1        3        99333        0.07   1        1        99333       99333.00    99333.00    0.00       
  16       2018005      1        6        249993       0.17   8        0        97300       31249.12    0.00        31249.12   
  17       2014844      1        3        1207073      0.83   56       0        96642       21554.88    0.00        21554.88   
  18       2020297      1        2        276136       0.19   13       0        94163       21241.23    0.00        21241.23   
  19       2024549      1        2        92463        0.06   1        0        92463       92463.00    0.00        92463.00   
  20       2024452      1        3        3784132      2.60   56       56       89874       67573.79    67573.79    0.00       
  21       2024606      1        2        1505916      1.03   56       0        86082       26891.36    0.00        26891.36   
  22       2011791      1        4        1578970      1.08   56       0        82867       28195.89    0.00        28195.89   
  23       2019094      1        5        1547469      1.06   56       0        80770       27633.38    0.00        27633.38   
  24       2017556      1        3        1856139      1.27   56       0        79634       33145.34    0.00        33145.34   
  25       2016706      1        20       1859611      1.28   56       0        79458       33207.34    0.00        33207.34   
  26       2017119      1        4        1538762      1.06   56       0        77315       27477.89    0.00        27477.89   
  27       2017454      1        12       1954142      1.34   56       0        75941       34895.39    0.00        34895.39   
  28       2014442      1        6        2181236      1.50   56       0        70815       38950.64    0.00        38950.64   
  29       2018241      1        2        106735       0.07   10       0        70393       10673.50    0.00        10673.50   
  30       2017456      1        3        1783656      1.22   56       0        68325       31851.00    0.00        31851.00   
  31       2020962      1        3        1488488      1.02   56       0        66528       26580.14    0.00        26580.14   
  32       2020706      1        2        1567123      1.08   56       0        66127       27984.34    0.00        27984.34   
  33       2023083      1        2        1542743      1.06   56       0        63606       27548.98    0.00        27548.98   
  34       2014819      1        3        60559        0.04   1        0        60559       60559.00    0.00        60559.00   
  35       2013419      1        4        1701289      1.17   56       0        59900       30380.16    0.00        30380.16   
  36       2022132      1        1        271963       0.19   77       0        59036       3531.99     0.00        3531.99    
  37       2017814      1        3        1600631      1.10   56       0        58908       28582.70    0.00        28582.70   
  38       2008377      1        5        1528621      1.05   56       0        58874       27296.80    0.00        27296.80   
  39       2025064      1        5        94100        0.06   2        0        58443       47050.00    0.00        47050.00   
  40       2011925      1        6        1547824      1.06   56       0        58244       27639.71    0.00        27639.71   
  41       2018982      1        2        66733        0.05   4        0        58209       16683.25    0.00        16683.25   
  42       2024239      1        3        1564463      1.07   56       0        58165       27936.84    0.00        27936.84   
  43       2020181      1        8        1540799      1.06   56       0        57827       27514.27    0.00        27514.27   
  44       2014189      1        3        1546731      1.06   56       0        57557       27620.20    0.00        27620.20   
  45       2008420      1        4        378086       0.26   116      0        57292       3259.36     0.00        3259.36    
  46       2014958      1        1        533405       0.37   42       0        56986       12700.12    0.00        12700.12   
  47       2020083      1        3        1557715      1.07   56       0        56628       27816.34    0.00        27816.34   
  48       2021787      1        2        1821966      1.25   56       0        56540       32535.11    0.00        32535.11   
  49       2020643      1        3        1549344      1.06   56       0        56371       27666.86    0.00        27666.86   
  50       2017264      1        2        1537754      1.06   56       0        56284       27459.89    0.00        27459.89   
  51       2012707      1        5        1214638      0.83   58       0        56127       20942.03    0.00        20942.03   
  52       2017261      1        3        1541421      1.06   56       0        55559       27525.38    0.00        27525.38   
  53       2008575      1        5        1232849      0.85   146      0        55050       8444.17     0.00        8444.17    
  54       2008438      1        20       182049       0.12   4        0        55042       45512.25    0.00        45512.25   
  55       2015744      1        4        70367        0.05   7        1        54566       10052.43    54566.00    2633.50    
  56       2021399      1        3        1534571      1.05   56       0        53965       27403.05    0.00        27403.05   
  57       2016809      1        5        1165607      0.80   56       0        53021       20814.41    0.00        20814.41   
  58       2021747      1        9        1499710      1.03   56       0        52667       26780.54    0.00        26780.54   
  59       2018959      1        3        76778        0.05   10       1        51724       7677.80     51724.00    2783.78    
  60       2014967      1        3        1185887      0.81   56       0        50877       21176.55    0.00        21176.55   
  61       2017076      1        9        1786177      1.23   56       0        50300       31896.02    0.00        31896.02   
  62       2013250      1        3        50113        0.03   1        0        50113       50113.00    0.00        50113.00   
  63       2024771      1        1        1309096      0.90   227      0        49217       5766.94     0.00        5766.94    
  64       2015877      1        6        1537322      1.05   56       0        49183       27452.18    0.00        27452.18   
  65       2017948      1        2        1557828      1.07   56       0        48998       27818.36    0.00        27818.36   
  66       2020963      1        2        1528539      1.05   56       0        48795       27295.34    0.00        27295.34   
  67       2020860      1        4        1287256      0.88   56       0        48729       22986.71    0.00        22986.71   
  68       2023077      1        2        1190187      0.82   56       0        48567       21253.34    0.00        21253.34   
  69       2013352      1        4        72888        0.05   10       0        48565       7288.80     0.00        7288.80    
  70       2022234      1        3        48014        0.03   1        0        48014       48014.00    0.00        48014.00   
  71       2014353      1        6        73491        0.05   10       0        47642       7349.10     0.00        7349.10    
  72       2023076      1        2        1190417      0.82   56       0        47565       21257.45    0.00        21257.45   
  73       2022343      1        2        1509367      1.04   56       0        46579       26952.98    0.00        26952.98   
  74       2018028      1        4        1503608      1.03   56       0        46025       26850.14    0.00        26850.14   
  75       2021418      1        9        1483385      1.02   56       0        45260       26489.02    0.00        26489.02   
  76       2009897      1        14       52911        0.04   4        0        44368       13227.75    0.00        13227.75   
  77       2018793      1        4        1176432      0.81   56       0        43846       21007.71    0.00        21007.71   
  78       2022901      1        2        1523742      1.05   56       0        43025       27209.68    0.00        27209.68   
  79       2022502      1        4        85495        0.06   2        0        42802       42747.50    0.00        42747.50   
  80       2009909      1        10       50303        0.03   4        0        41846       12575.75    0.00        12575.75   
  81       2023464      1        2        161718       0.11   10       0        41763       16171.80    0.00        16171.80   
  82       2009028      1        11       65268        0.04   10       0        41717       6526.80     0.00        6526.80    
  83       2021718      1        4        1494967      1.03   56       0        40424       26695.84    0.00        26695.84   
  84       2021552      1        2        1514020      1.04   56       0        40310       27036.07    0.00        27036.07   
  85       2021413      1        2        1530147      1.05   56       0        40292       27324.05    0.00        27324.05   
  86       2024829      1        2        459990       0.32   22       0        40265       20908.64    0.00        20908.64   
  87       2020964      1        2        1436993      0.99   56       0        39811       25660.59    0.00        25660.59   
  88       2013441      1        9        47601        0.03   4        0        39621       11900.25    0.00        11900.25   
  89       2024650      1        1        265737       0.18   18       0        39207       14763.17    0.00        14763.17   
  90       2022609      1        2        37853        0.03   1        0        37853       37853.00    0.00        37853.00   
  91       2023583      1        4        37493        0.03   1        0        37493       37493.00    0.00        37493.00   
  92       2024601      1        2        35908        0.02   1        0        35908       35908.00    0.00        35908.00   
  93       2024768      1        2        35824        0.02   1        0        35824       35824.00    0.00        35824.00   
  94       2019378      1        12       1108969      0.76   56       0        35690       19803.02    0.00        19803.02   
  95       2018457      1        1        81774        0.06   6        0        35604       13629.00    0.00        13629.00   
  96       2022050      1        3        43275        0.03   4        0        35504       10818.75    0.00        10818.75   
  97       2020569      1        1        43982        0.03   4        0        35224       10995.50    0.00        10995.50   
  98       2017036      1        3        1129876      0.78   56       0        34839       20176.36    0.00        20176.36   
  99       2023078      1        2        1100629      0.76   56       0        34282       19654.09    0.00        19654.09   
  100      2019345      1        2        1210665      0.83   86       0        33878       14077.50    0.00        14077.50   
  101      2019343      1        3        33348        0.02   1        0        33348       33348.00    0.00        33348.00   
  102      2102523      1        8        220636       0.15   60       0        33076       3677.27     0.00        3677.27    
  103      2021080      1        2        32427        0.02   1        0        32427       32427.00    0.00        32427.00   
  104      2024909      1        2        368238       0.25   19       0        31830       19380.95    0.00        19380.95   
  105      2024196      1        3        31813        0.02   1        0        31813       31813.00    0.00        31813.00   
  106      2022552      1        2        490049       0.34   25       0        31542       19601.96    0.00        19601.96   
  107      2012981      1        5        60829        0.04   2        0        31443       30414.50    0.00        30414.50   
  108      2009702      1        5        138907       0.10   10       0        30922       13890.70    0.00        13890.70   
  109      2008303      1        3        147293       0.10   39       0        30864       3776.74     0.00        3776.74    
  110      2022073      1        2        30862        0.02   1        0        30862       30862.00    0.00        30862.00   
  111      2008308      1        3        144214       0.10   42       0        30799       3433.67     0.00        3433.67    
  112      2025162      1        2        29962        0.02   1        0        29962       29962.00    0.00        29962.00   
  113      2024513      1        5        836068       0.57   56       0        28940       14929.79    0.00        14929.79   
  114      2016112      1        3        166918       0.11   10       0        28887       16691.80    0.00        16691.80   
  115      2017748      1        6        150304       0.10   9        0        28844       16700.44    0.00        16700.44   
  116      2018359      1        3        28544        0.02   1        0        28544       28544.00    0.00        28544.00   
  117      2018375      1        3        287064       0.20   20       0        28279       14353.20    0.00        14353.20   
  118      2020838      1        3        146501       0.10   10       0        27874       14650.10    0.00        14650.10   
  119      2019834      1        2        27834        0.02   1        1        27834       27834.00    27834.00    0.00       
  120      2014519      1        7        68677        0.05   16       0        27737       4292.31     0.00        4292.31    
  121      2023711      1        2        149288       0.10   10       0        27228       14928.80    0.00        14928.80   
  122      2014956      1        1        513801       0.35   42       0        27135       12233.36    0.00        12233.36   
  123      2023679      1        3        162268       0.11   10       0        27058       16226.80    0.00        16226.80   
  124      2016503      1        2        80480        0.06   5        0        26765       16096.00    0.00        16096.00   
  125      2008782      1        5        2

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1190 bytes) - download
1
2
3
4
5
6
7
8
2019-01-24 12:14:48,641 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-24 12:14:49,350 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-24 12:14:49,350 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-01-24 12:14:49,351 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-24 12:14:49,351 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-24 12:14:49,351 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/a1ae87e6471a7e77b84e88703e877f2ad2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/01242019.1214-2018-02-08-malspam-pushing-Quant-Loader-1st-run.pcap -vvv -k none
2019-01-24 12:14:58,137 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-24 12:14:58,137 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.50420093536