Filename: new-2022813-suri.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 12.7521731853 seconds
Hash: a5a661a95b07c9235529a24e37cd966c
Uploaded: 1538758995

Logfiles


packet_stats.log - (8384 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            35          1126587       18322545      10717855        375.1m  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            35            73383        5432982        505406         17.7m   98.56
TMM_RECEIVEPCAPFILE         IPv4       6            35             2850          10797          3171        111.0k    0.62
TMM_DECODEPCAPFILE          IPv4       6            35             2892          42288          4230        148.1k    0.83

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            35             2928         405459         16724        585.4k  5.14  
stream                  IPv4       6            35             3249         511845         82254          2.9m  25.30 
detect                  IPv4       6            35            46821        1272672        222334          7.8m  68.39 
tcp-prune               IPv4       6            35             2634          21849          3763        131.7k  1.16  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             3             5364          14400          8469         25.4k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_HTTP            IPv4       6             3            95277        4681695       1777427          5.3m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            12             2760          67287         23283       279.4k  9.53  
stream                            IPv4       6            12             2628         523776         97046         1.2m  39.72 
http_uri                          IPv4       6             3             4332           5268          4802        14.4k  0.49  
http_request_line                 IPv4       6             3             6216           8526          7205        21.6k  0.74  
http_client_body                  IPv4       6             3             3600          18906          8812        26.4k  0.90  
http_header (request)             IPv4       6             3            18078          37746         27822        83.5k  2.85  
http_header (request trailer)     IPv4       6             3             2739           2832          2772         8.3k  0.28  
http_header_names (request)       IPv4       6             3            12333         420990        149732       449.2k  15.32 
http_accept (request)             IPv4       6             3             3795          10788          7203        21.6k  0.74  
http_referer (request)            IPv4       6             3             3465           4905          3970        11.9k  0.41  
http_content_len (request)        IPv4       6             3             3297           4701          4025        12.1k  0.41  
http_content_type (request)       IPv4       6             3             3255           4761          3915        11.7k  0.40  
http_start (request)              IPv4       6             3            10755          14367         12678        38.0k  1.30  
http_raw_header (request)         IPv4       6             3             7785           8991          8497        25.5k  0.87  
http_method                       IPv4       6             3             4416           5004          4743        14.2k  0.49  
http_cookie (request)             IPv4       6             3             3045           8358          4872        14.6k  0.50  
http_raw_uri                      IPv4       6             3             3036           3105          3076         9.2k  0.31  
http_user_agent                   IPv4       6             3             7746          24795         14649        43.9k  1.50  
http_host                         IPv4       6             3             6180          16134          9559        28.7k  0.98  
http_response_line                IPv4       6             3             5193           8754          6743        20.2k  0.69  
http_header (response)            IPv4       6             3            30246         427395        170287       510.9k  17.42 
http_header (response trailer)    IPv4       6             3             2703           2958          2795         8.4k  0.29  
http_content_type (response)      IPv4       6             3             3966           4866          4502        13.5k  0.46  
http_raw_header (response)        IPv4       6             3            13431          17475         15282        45.8k  1.56  
http_cookie (response)            IPv4       6             3             5943           7869          6830        20.5k  0.70  
http_stat_code                    IPv4       6             3             3267          10536          5788        17.4k  0.59  
file_data (http response)         IPv4       6             3             3354           9249          5457        16.4k  0.56  
Total                             IPv4                    99                                         29616         2.9m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             6            13182         407619         99688        598.1k  6.25  
PROF_DETECT_RULES           IPv4       6            35             2628         176091         24540        858.9k  8.97  
PROF_DETECT_STATEFUL_CONT    IPv4       6            35             2607          52542          5494        192.3k  2.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            23             2634           5250          3136         72.1k  0.75  
PROF_DETECT_PREFILTER       IPv4       6            35             8607         703176        110195          3.9m  40.29 
PROF_DETECT_PF_PAYLOAD      IPv4       6            12            35721         536136        128453          1.5m  16.10 
PROF_DETECT_PF_TX           IPv4       6            23             2829         597168         79087          1.8m  19.00 
PROF_DETECT_PF_SORT1        IPv4       6             6             3177           4419          3796         22.8k  0.24  
PROF_DETECT_PF_SORT2        IPv4       6            35             2595          19413          3689        129.1k  1.35  
PROF_DETECT_NONMPMLIST      IPv4       6            35             2622           4161          3098        108.5k  1.13  
PROF_DETECT_ALERT           IPv4       6            35             2619          14235          3189        111.6k  1.17  
PROF_DETECT_CLEANUP         IPv4       6            35             2667          13119          3532        123.6k  1.29  
PROF_DETECT_GETSGH          IPv4       6            35             2631          14373          3984        139.5k  1.46  


suricata-report-2018-10-05-T-17-03-28-10052018.1703-new-2022813-suri.pcap.txt - (17974 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/a5a661a95b07c9235529a24e37cd966cd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/10052018.1703-new-2022813-suri.pcap -vvv -k none
elapsedtime:11.268652
stderr:
stdout:
5/10/2018 -- 17:03:16 - <Info> - Configuration node 'rule-files' redefined.
5/10/2018 -- 17:03:16 - <Notice> - This is Suricata version 4.0.0 RELEASE
5/10/2018 -- 17:03:16 - <Info> - CPUs/cores online: 1
5/10/2018 -- 17:03:16 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32391 and 'request-body-inspect-window' set to 17109 after randomization.
5/10/2018 -- 17:03:16 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33798 and 'response-body-inspect-window' set to 16535 after randomization.
5/10/2018 -- 17:03:16 - <Config> - DNS request flood protection level: 500
5/10/2018 -- 17:03:16 - <Config> - DNS per flow memcap (state-memcap): 524288
5/10/2018 -- 17:03:16 - <Config> - DNS global memcap: 16777216
5/10/2018 -- 17:03:16 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
5/10/2018 -- 17:03:16 - <Config> - preallocated 1000 hosts of size 136
5/10/2018 -- 17:03:16 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
5/10/2018 -- 17:03:16 - <Config> - using magic-file /usr/share/file/magic
5/10/2018 -- 17:03:16 - <Config> - Core dump size is unlimited.
5/10/2018 -- 17:03:16 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
5/10/2018 -- 17:03:16 - <Config> - preallocated 1000 defrag trackers of size 168
5/10/2018 -- 17:03:16 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
5/10/2018 -- 17:03:16 - <Config> - stream "prealloc-sessions": 2048 (per thread)
5/10/2018 -- 17:03:16 - <Config> - stream "memcap": 33554432
5/10/2018 -- 17:03:16 - <Config> - stream "midstream" session pickups: disabled
5/10/2018 -- 17:03:16 - <Config> - stream "async-oneside": disabled
5/10/2018 -- 17:03:16 - <Config> - stream "checksum-validation": disabled
5/10/2018 -- 17:03:16 - <Config> - stream."inline": disabled
5/10/2018 -- 17:03:16 - <Config> - stream "bypass": disabled
5/10/2018 -- 17:03:16 - <Config> - stream "max-synack-queued": 5
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly "memcap": 134217728
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly "depth": 0
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly "toserver-chunk-size": 2556
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly "toclient-chunk-size": 2662
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly.raw: enabled
5/10/2018 -- 17:03:16 - <Config> - stream.reassembly "segment-prealloc": 2048
5/10/2018 -- 17:03:16 - <Config> - Delayed detect disabled
5/10/2018 -- 17:03:16 - <Config> - pattern matchers: MPM: ac, SPM: bm
5/10/2018 -- 17:03:16 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
5/10/2018 -- 17:03:16 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
5/10/2018 -- 17:03:16 - <Config> - prefilter engines: MPM
5/10/2018 -- 17:03:16 - <Config> - IP reputation disabled
5/10/2018 -- 17:03:16 - <Perf> - Registered 148 keyword profiling counters.
5/10/2018 -- 17:03:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
5/10/2018 -- 17:03:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
5/10/2018 -- 17:03:17 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
5/10/2018 -- 17:03:19 - <Config> - No rules loaded from ET-emerging-icmp.rules.
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
5/10/2018 -- 17:03:19 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
5/10/2018 -- 17:03:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
5/10/2018 -- 17:03:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
5/10/2018 -- 17:03:20 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
5/10/2018 -- 17:03:23 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
5/10/2018 -- 17:03:24 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
5/10/2018 -- 17:03:24 - <Config> - No rules loaded from local.rules.
5/10/2018 -- 17:03:24 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
5/10/2018 -- 17:03:24 - <Info> - Threshold config parsed: 0 rule(s) found
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tcp-packet
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tcp-stream
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for udp-packet
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for other-ip
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_uri
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_request_line
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_client_body
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_response_line
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_header
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_header
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_header_names
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_header_names
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_accept
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_accept_enc
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_accept_lang
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_referer
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_connection
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_content_len
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_content_len
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_content_type
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_content_type
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_protocol
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_protocol
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_start
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_start
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_raw_header
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_raw_header
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_method
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_cookie
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_cookie
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_raw_uri
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_user_agent
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_host
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_raw_host
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_stat_msg
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_stat_code
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for dns_query
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tls_sni
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tls_cert_issuer
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tls_cert_subject
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for tls_cert_serial
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for dce_stub_data
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for dce_stub_data
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for ssh_protocol
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for ssh_protocol
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for ssh_software
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for ssh_software
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for file_data
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for file_data
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_request_line
5/10/2018 -- 17:03:24 - <Perf> - using shared mpm ctx' for http_response_line
5/10/2018 -- 17:03:24 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
5/10/2018 -- 17:03:24 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
5/10/2018 -- 17:03:24 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
5/10/2018 -- 17:03:24 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
5/10/2018 -- 17:03:24 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
5/10/2018 -- 17:03:24 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
5/10/2018 -- 17:03:24 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
5/10/2018 -- 17:03:24 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
5/10/2018 -- 17:03:26 - <Perf> - Unique rule groups: 111
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toserver TCP packet": 31
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toclient TCP packet": 20
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toserver TCP stream": 31
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toclient TCP stream": 21
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toserver UDP packet": 33
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "toclient UDP packet": 15
5/10/2018 -- 17:03:26 - <Perf> - Builtin MPM "other IP packet": 2
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_uri": 8
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_request_line": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_client_body": 6
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_response_line": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_header": 6
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_header": 3
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_header_names": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_accept": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_referer": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_content_len": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_content_type": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_content_type": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_start": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_method": 3
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_cookie": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_cookie": 2
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver http_host": 2
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver dns_query": 4
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver tls_sni": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toserver file_data": 1
5/10/2018 -- 17:03:26 - <Perf> - AppLayer MPM "toclient file_data": 5
5/10/2018 -- 17:03:27 - <Perf> - Registered 18241 rule profiling counters.
5/10/2018 -- 17:03:27 - <Info> - fast output device (regular) initialized: alert
5/10/2018 -- 17:03:27 - <Info> - eve-log output device (regular) initialized: eve.json
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'alert'
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'http'
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'dns'
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'tls'
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'files'
5/10/2018 -- 17:03:27 - <Config> - enabling 'eve-log' module 'ssh'
5/10/2018 -- 17:03:27 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
5/10/2018 -- 17:03:27 - <Info

This file has been truncated. Go here to download in full.


stats.log - (2300 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
------------------------------------------------------------------------------------
Date: 10/5/2018 -- 17:03:28 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 35
decoder.bytes                              | Total                     | 3893
decoder.ipv4                               | Total                     | 35
decoder.ethernet                           | Total                     | 35
decoder.tcp                                | Total                     | 35
decoder.avg_pkt_size                       | Total                     | 111
decoder.max_pkt_size                       | Total                     | 500
flow.tcp                                   | Total                     | 3
tcp.sessions                               | Total                     | 3
tcp.syn                                    | Total                     | 3
tcp.synack                                 | Total                     | 3
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 3
app_layer.tx.http                          | Total                     | 3
flow.spare                                 | Total                     | 9998
flow_mgr.flows_checked                     | Total                     | 3
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65533
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (874 bytes) - download
1
2
3
{"timestamp":"2018-10-04T16:00:02.825004+0000","flow_id":1513785802250557,"pcap_cnt":8,"event_type":"http","src_ip":"128.4.180.68","src_port":56971,"dest_ip":"151.101.129.67","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cnn.com","url":"\/","http_user_agent":"SearchProtect;"}}
{"timestamp":"2018-10-04T16:00:21.032810+0000","flow_id":198492871280179,"pcap_cnt":20,"event_type":"http","src_ip":"128.4.180.68","src_port":57011,"dest_ip":"151.101.193.67","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cnn.com","url":"\/","http_user_agent":"SearchProtect;"}}
{"timestamp":"2018-10-04T16:00:35.078871+0000","flow_id":1517271170415216,"pcap_cnt":32,"event_type":"http","src_ip":"128.4.180.68","src_port":57041,"dest_ip":"151.101.193.67","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cnn.com","url":"\/","http_user_agent":"SearchProtect;"}}


keyword_perf.log - (706 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 10/5/2018 -- 17:03:28
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


IDSDeathBlossom.py.log - (1159 bytes) - download
1
2
3
4
5
6
7
8
2018-10-05 17:03:15,777 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-10-05 17:03:16,927 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-10-05 17:03:16,927 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-10-05 17:03:16,928 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-10-05 17:03:16,928 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-10-05 17:03:16,928 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/a5a661a95b07c9235529a24e37cd966cd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/10052018.1703-new-2022813-suri.pcap -vvv -k none
2018-10-05 17:03:28,200 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-10-05 17:03:28,201 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 12.4365019798


suricata-4.0.0-etopen-all-perf.txt-2018-10-05-T-17-03-28-10052018.1703-new-2022813-suri.pcap.txt - (3542 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
  --------------------------------------------------------------------------
  Date: 10/5/2018 -- 17:03:28. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2020027      1        3        14004        4.63   3        0        6006        4668.00     0.00        4668.00    
  2        2013382      1        3        13233        4.38   3        0        5811        4411.00     0.00        4411.00    
  3        2008420      1        4        20778        6.87   6        0        5583        3463.00     0.00        3463.00    
  4        2102523      1        8        12048        3.98   3        0        5103        4016.00     0.00        4016.00    
  5        2020369      1        3        11472        3.79   3        0        5034        3824.00     0.00        3824.00    
  6        2012612      1        16       12279        4.06   3        0        4839        4093.00     0.00        4093.00    
  7        2022502      1        4        11067        3.66   3        0        4575        3689.00     0.00        3689.00    
  8        2022813      1        2        10989        3.63   3        0        4512        3663.00     0.00        3663.00    
  9        2016537      1        2        27000        8.93   8        0        4491        3375.00     0.00        3375.00    
  10       2017552      1        6        34335        11.35  11       0        4218        3121.36     0.00        3121.36    
  11       2024134      1        2        10473        3.46   3        0        4167        3491.00     0.00        3491.00    
  12       2025114      1        1        10023        3.31   3        0        3894        3341.00     0.00        3341.00    
  13       2024139      1        2        9402         3.11   3        0        3891        3134.00     0.00        3134.00    
  14       2024771      1        1        11304        3.74   3        0        3873        3768.00     0.00        3768.00    
  15       2024142      1        2        10176        3.36   3        0        3735        3392.00     0.00        3392.00    
  16       2025005      1        13       9348         3.09   3        0        3657        3116.00     0.00        3116.00    
  17       2024140      1        2        9471         3.13   3        0        3501        3157.00     0.00        3157.00    
  18       2102523      1        8        9672         3.20   3        0        3474        3224.00     0.00        3224.00    
  19       2024133      1        2        9243         3.06   3        0        3402        3081.00     0.00        3081.00    
  20       2024141      1        2        9381         3.10   3        0        3402        3127.00     0.00        3127.00    
  21       2024137      1        2        9237         3.05   3        0        3294        3079.00     0.00        3079.00    
  22       2024136      1        2        9312         3.08   3        0        3210        3104.00     0.00        3104.00    
  23       2024138      1        2        9219         3.05   3        0        3180        3073.00     0.00        3073.00    
  24       2024135      1        2        8964         2.96   3        0        3144        2988.00     0.00        2988.00