Filename: 44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 27.5171570778 seconds
Hash: a672c8a5b9a15d6823a6697fb6c9c76e
Uploaded: 1574684883

Logfiles


packet_stats.log - (15422 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           175          4248172      216848150     114576365         20.1b   38.57
 IPv4      17           197          3189284      213263278     148978702         29.3b   56.46
 IPv6      17            21          4653252      211484440     122945346          2.6b    4.97
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           175           115414       21333080        900017        157.5m   62.40
TMM_FLOWWORKER              IPv4      17           197           282300        6300316        421460         83.0m   32.89
TMM_RECEIVEPCAPFILE         IPv4       6           174             4430         103842          5520        960.6k    0.38
TMM_RECEIVEPCAPFILE         IPv4      17           197             4468          19310          5397          1.1m    0.42
TMM_DECODEPCAPFILE          IPv4       6           174             4552          30684          5070        882.3k    0.35
TMM_DECODEPCAPFILE          IPv4      17           197             4568          66344          5265          1.0m    0.41
TMM_FLOWWORKER              IPv6      17            21           295730         825808        366905          7.7m    3.05
TMM_RECEIVEPCAPFILE         IPv6      17            21             4828           7052          5325        111.8k    0.04
TMM_DECODEPCAPFILE          IPv6      17            21             4614          22332          5898        123.9k    0.05

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           174             4796         421130          8595          1.5m  0.68  
flow                    IPv4      17           197             4764          73098          7498          1.5m  0.67  
stream                  IPv4       6           175             4596         835646         36302          6.4m  2.89  
app-layer               IPv4      17           197             4428         151522          8763          1.7m  0.78  
detect                  IPv4       6           175            77400       21174952        718951        125.8m  57.20 
detect                  IPv4      17           197           253262        6249362        380299         74.9m  34.06 
tcp-prune               IPv4       6           175             4438          24564          5371        940.0k  0.43  
flow                    IPv6      17            21             5016          74264         10620        223.0k  0.10  
app-layer               IPv6      17            21             4428          15586          5800        121.8k  0.06  
detect                  IPv6      17            21           267204         793788        327796          6.9m  3.13  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            13             6014          69306         13174        171.3k  33.26 
http                    IPv4      17            20             6074         105616         12501        250.0k  48.56 
dns                     IPv4      17             9             6670          28666         10403         93.6k  18.18 
Proto detect            IPv4       6             1            33694          33694         33694         33.7k
Proto detect            IPv4      17            38             4710         107350         13678        519.8k
Proto detect            IPv6      17             2             4842           6316          5579         11.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            43074          93328         72867        218.6k  1.53  
LOGGER_ALERT_FAST           IPv4      17             2            21070          23572         22321         44.6k  0.31  
LOGGER_UNIFIED2             IPv4       6             3            34106         123636         71518        214.6k  1.51  
LOGGER_UNIFIED2             IPv4      17             2            23096          27526         25311         50.6k  0.36  
LOGGER_JSON_ALERT           IPv4       6             3            83594         122650        105716        317.1k  2.23  
LOGGER_JSON_ALERT           IPv4      17             2            42240          46326         44283         88.6k  0.62  
LOGGER_JSON_DNS             IPv4      17             8            33510         147778         73986        591.9k  4.15  
LOGGER_JSON_HTTP            IPv4       6            14            43518         122738         66274        927.8k  6.51  
LOGGER_JSON_FILE            IPv4       6            26            49028        9371450        453592         11.8m  82.78 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            93             4500       20990314        287792        26.8m  43.56 
payload                           IPv4      17           197            10552         153432         34120         6.7m  10.94 
stream                            IPv4       6            93             4438         713494         78374         7.3m  11.86 
http_uri                          IPv4       6            14             6636       13254724        963648        13.5m  21.96 
http_request_line                 IPv4       6            14             6418          19924         10347       144.9k  0.24  
http_client_body                  IPv4       6            14             4896         559694        123766         1.7m  2.82  
http_header (request)             IPv4       6            14            37134         107878         75017         1.1m  1.71  
http_header (request trailer)     IPv4       6            14             4510          21782          5927        83.0k  0.14  
http_header_names (request)       IPv4       6            14            15174          39962         27021       378.3k  0.62  
http_accept (request)             IPv4       6            14             5236          14558          6224        87.1k  0.14  
http_referer (request)            IPv4       6            14             4774           5954          5200        72.8k  0.12  
http_content_len (request)        IPv4       6            14             4902          14060          7547       105.7k  0.17  
http_content_type (request)       IPv4       6            14             4808          25836         10461       146.5k  0.24  
http_protocol (request)           IPv4       6            14             5556           9212          7203       100.9k  0.16  
http_start (request)              IPv4       6            14            11422          57676         21777       304.9k  0.50  
http_raw_header (request)         IPv4       6            14            15270          30550         19805       277.3k  0.45  
http_method                       IPv4       6            14             6728          23396         10559       147.8k  0.24  
http_cookie (request)             IPv4       6            14             4950           6796          5666        79.3k  0.13  
http_raw_uri                      IPv4       6            14             4958           9280          7072        99.0k  0.16  
http_user_agent                   IPv4       6            14             5274          12954          9162       128.3k  0.21  
http_host                         IPv4       6            14             5728          17670         10106       141.5k  0.23  
dns_query                         IPv4      17             4            12798          19972         15694        62.8k  0.10  
http_response_line                IPv4       6            13             6760          15202         10026       130.4k  0.21  
http_header (response)            IPv4       6            13            23326          92936         52769       686.0k  1.12  
http_header (response trailer)    IPv4       6            13             4548           4834          4661        60.6k  0.10  
http_content_type (response)      IPv4       6            13             8122          22602         12058       156.8k  0.26  
http_raw_header (response)        IPv4       6            24             6286          34628         11539       276.9k  0.45  
http_cookie (response)            IPv4       6            13             4936           5982          5212        67.8k  0.11  
http_stat_code                    IPv4       6            13             5392          26880          7702       100.1k  0.16  
file_data (http response)         IPv4       6            11             4926           8020          5595        61.6k  0.10  
Total                             IPv4                   752                                         81049        60.9m
payload                           IPv6      17            21            14928         103296         23546       494.5k  0.80  
Total                             IPv6                    21                                         23546       494.5k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            28            14086         140336         54972          1.5m  0.56  
PROF_DETECT_IPONLY          IPv4      17            38            12402         271678         63085          2.4m  0.88  
PROF_DETECT_RULES           IPv4       6           175             4448        8553500        255681         44.7m  16.35 
PROF_DETECT_RULES           IPv4      17           197           130424        6007306        221944         43.7m  15.98 
PROF_DETECT_STATEFUL_START    IPv4       6            51             8948        1909954        245208         12.5m  4.57  
PROF_DETECT_STATEFUL_START    IPv4      17             2            16952          19442         18197         36.4k  0.01  
PROF_DETECT_STATEFUL_CONT    IPv4       6           175             4404          57320          8306          1.5m  0.53  
PROF_DETECT_STATEFUL_CONT    IPv4      17           197             4400          23936          5161          1.0m  0.37  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           100             4452         428496          9157        915.7k  0.33  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             8             4560          22844          7068         56.5k  0.02  
PROF_DETECT_PREFILTER       IPv4       6           175            13618       21055138        361121         63.2m  23.09 
PROF_DETECT_PREFILTER       IPv4      17           197            52770         301414         75805         14.9m  5.46  
PROF_DETECT_PF_PAYLOAD      IPv4       6            93            26608       21011716        380173         35.4m  12.92 
PROF_DETECT_PF_PAYLOAD      IPv4      17           197            19826         162336         43568          8.6m  3.14  
PROF_DETECT_PF_TX           IPv4       6           100             4482       13745174        229602         23.0m  8.39  
PROF_DETECT_PF_TX           IPv4      17             4            22442          29814         25540        102.2k  0.04  
PROF_DETECT_PF_SORT1        IPv4       6            71             4524          21268          6352        451.0k  0.16  
PROF_DETECT_PF_SORT1        IPv4      17           197             4762         163400          6330          1.2m  0.46  
PROF_DETECT_PF_SORT2        IPv4       6           175             4442          20914          5468        956.9k  0.35  
PROF_DETECT_PF_SORT2        IPv4      17           197             4482          55170          5095          1.0m  0.37  
PROF_DETECT_NONMPMLIST      IPv4       6           175             4448          29540          5396        944.3k  0.35  
PROF_DETECT_NONMPMLIST      IPv4      17           197             4420           7048          4907        966.7k  0.35  
PROF_DETECT_ALERT           IPv4       6           175             4414         456396          7357          1.3m  0.47  
PROF_DETECT_ALERT           IPv4      17           197             4420          45176          5082          1.0m  0.37  
PROF_DETECT_CLEANUP         IPv4       6           175             4456         420462          7854          1.4m  0.50  
PROF_DETECT_CLEANUP         IPv4      17           197             4408          86780          5340          1.1m  0.38  
PROF_DETECT_GETSGH          IPv4       6           175             4434          79194          8364          1.5m  0.53  
PROF_DETECT_GETSGH          IPv4      17           197             4406          45384          7268          1.4m  0.52  
PROF_DETECT_IPONLY          IPv6      17             2             7780          31436         19608         39.2k  0.01  
PROF_DETECT_RULES           IPv6      17            21           147120         589266        193295          4.1m  1.48  
PROF_DETECT_STATEFUL_CONT    IPv6      17            21             4438           6174          4867        102.2k  0.04  
PROF_DETECT_PREFILTER       IPv6      17            21            52024         142518         64693          1.4m  0.50  
PROF_DETECT_PF_PAYLOAD      IPv6      17            21            23782         112174         32852        689.9k  0.25  
PROF_DETECT_PF_SORT1        IPv6      17            21             4904           6448          5393        113.3k  0.04  
PROF_DETECT_PF_SORT2        IPv6      17            21             4468           7288          4887        102.6k  0.04  
PROF_DETECT_NONMPMLIST      IPv6      17            21             4420          21532          5663        118.9k  0.04  
PROF_DETECT_ALERT           IPv6      17            21             4422           6030          4812        101.1k  0.04  
PROF_DETECT_CLEANUP         IPv6      17            21             4414           6354          4797        100.7k  0.04  
PROF_DETECT_GETSGH          IPv6      17            21             4426          58932          7713        162.0k  0.06  


suricata-report-2019-11-25-T-12-28-31-11252019.1228-44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap.txt - (17994 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/a672c8a5b9a15d6823a6697fb6c9c76e56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11252019.1228-44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap -vvv -k none
elapsedtime:26.402410
stderr:
stdout:
25/11/2019 -- 12:28:04 - <Info> - Configuration node 'rule-files' redefined.
25/11/2019 -- 12:28:04 - <Notice> - This is Suricata version 4.0.0 RELEASE
25/11/2019 -- 12:28:04 - <Info> - CPUs/cores online: 1
25/11/2019 -- 12:28:04 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33907 and 'request-body-inspect-window' set to 16462 after randomization.
25/11/2019 -- 12:28:04 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34306 and 'response-body-inspect-window' set to 16848 after randomization.
25/11/2019 -- 12:28:04 - <Config> - DNS request flood protection level: 500
25/11/2019 -- 12:28:04 - <Config> - DNS per flow memcap (state-memcap): 524288
25/11/2019 -- 12:28:04 - <Config> - DNS global memcap: 16777216
25/11/2019 -- 12:28:05 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
25/11/2019 -- 12:28:05 - <Config> - preallocated 1000 hosts of size 136
25/11/2019 -- 12:28:05 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
25/11/2019 -- 12:28:05 - <Config> - using magic-file /usr/share/file/magic
25/11/2019 -- 12:28:05 - <Config> - Core dump size is unlimited.
25/11/2019 -- 12:28:05 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
25/11/2019 -- 12:28:05 - <Config> - preallocated 1000 defrag trackers of size 168
25/11/2019 -- 12:28:05 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
25/11/2019 -- 12:28:05 - <Config> - stream "prealloc-sessions": 2048 (per thread)
25/11/2019 -- 12:28:05 - <Config> - stream "memcap": 33554432
25/11/2019 -- 12:28:05 - <Config> - stream "midstream" session pickups: disabled
25/11/2019 -- 12:28:05 - <Config> - stream "async-oneside": disabled
25/11/2019 -- 12:28:05 - <Config> - stream "checksum-validation": disabled
25/11/2019 -- 12:28:05 - <Config> - stream."inline": disabled
25/11/2019 -- 12:28:05 - <Config> - stream "bypass": disabled
25/11/2019 -- 12:28:05 - <Config> - stream "max-synack-queued": 5
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly "memcap": 134217728
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly "depth": 0
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly "toserver-chunk-size": 2469
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly "toclient-chunk-size": 2600
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly.raw: enabled
25/11/2019 -- 12:28:05 - <Config> - stream.reassembly "segment-prealloc": 2048
25/11/2019 -- 12:28:05 - <Config> - Delayed detect disabled
25/11/2019 -- 12:28:05 - <Config> - pattern matchers: MPM: ac, SPM: bm
25/11/2019 -- 12:28:05 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
25/11/2019 -- 12:28:05 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
25/11/2019 -- 12:28:05 - <Config> - prefilter engines: MPM
25/11/2019 -- 12:28:05 - <Config> - IP reputation disabled
25/11/2019 -- 12:28:05 - <Perf> - Registered 148 keyword profiling counters.
25/11/2019 -- 12:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
25/11/2019 -- 12:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
25/11/2019 -- 12:28:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
25/11/2019 -- 12:28:10 - <Config> - No rules loaded from ET-icmp.rules.
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
25/11/2019 -- 12:28:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
25/11/2019 -- 12:28:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
25/11/2019 -- 12:28:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
25/11/2019 -- 12:28:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
25/11/2019 -- 12:28:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
25/11/2019 -- 12:28:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
25/11/2019 -- 12:28:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
25/11/2019 -- 12:28:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
25/11/2019 -- 12:28:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
25/11/2019 -- 12:28:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
25/11/2019 -- 12:28:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
25/11/2019 -- 12:28:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
25/11/2019 -- 12:28:18 - <Config> - No rules loaded from local.rules.
25/11/2019 -- 12:28:18 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
25/11/2019 -- 12:28:18 - <Info> - Threshold config parsed: 0 rule(s) found
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tcp-packet
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tcp-stream
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for udp-packet
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for other-ip
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_uri
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_request_line
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_client_body
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_response_line
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_header
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_header
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_header_names
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_header_names
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_accept
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_accept_enc
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_accept_lang
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_referer
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_connection
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_content_len
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_content_len
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_content_type
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_content_type
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_protocol
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_protocol
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_start
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_start
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_raw_header
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_raw_header
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_method
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_cookie
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_cookie
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_raw_uri
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_user_agent
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_host
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_raw_host
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_stat_msg
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_stat_code
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for dns_query
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tls_sni
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tls_cert_issuer
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tls_cert_subject
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for tls_cert_serial
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for dce_stub_data
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for dce_stub_data
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for ssh_protocol
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for ssh_protocol
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for ssh_software
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for ssh_software
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for file_data
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for file_data
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_request_line
25/11/2019 -- 12:28:19 - <Perf> - using shared mpm ctx' for http_response_line
25/11/2019 -- 12:28:19 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
25/11/2019 -- 12:28:19 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
25/11/2019 -- 12:28:19 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
25/11/2019 -- 12:28:19 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
25/11/2019 -- 12:28:19 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
25/11/2019 -- 12:28:19 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
25/11/2019 -- 12:28:19 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
25/11/2019 -- 12:28:19 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
25/11/2019 -- 12:28:26 - <Perf> - Unique rule groups: 104
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toserver TCP packet": 35
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toclient TCP packet": 17
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toserver TCP stream": 33
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toclient TCP stream": 19
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toserver UDP packet": 27
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "toclient UDP packet": 17
25/11/2019 -- 12:28:26 - <Perf> - Builtin MPM "other IP packet": 3
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_uri": 14
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_request_line": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_client_body": 6
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_response_line": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_header": 10
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_header": 6
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_header_names": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_accept": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_referer": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_content_len": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_content_type": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_content_type": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_protocol": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_start": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_method": 5
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_cookie": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_cookie": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver http_host": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver dns_query": 4
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver tls_sni": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toserver file_data": 1
25/11/2019 -- 12:28:26 - <Perf> - AppLayer MPM "toclient file_data": 7
25/11/2019 -- 12:28:29 - <Perf> - Registered 39590 rule profiling counters.
25/11/2019 -- 12:28:29 - <Info> - fast output device (regular) initialized: alert
25/11/2019 -- 12:28:29 - <Info> - eve-log output device (regular) initialized: eve.json
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'alert'
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'http'
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'dns'
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'tls'
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'files'
25/11/2019 -- 12:28:29 - <Config> - enabling 'eve-log' module 'ssh'
25/11/2019 -- 12:28:29 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
25/11/2019 -- 12:28:29 - <Info> - stats output device (regular) initialized: stats.log
25/

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-11-25-T-12-28-31-11252019.1228-44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap.txt - (22487 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/25/2019 -- 12:28:31. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2811447      1        2        10102178     17.38  22       0        8463176     459189.91   0.00        459189.91  
  2        2025142      1        2        1281308      2.21   11       0        513586      116482.55   0.00        116482.55  
  3        2828212      1        2        844346       1.45   11       0        464162      76758.73    0.00        76758.73   
  4        2014133      1        4        833084       1.43   11       0        462296      75734.91    0.00        75734.91   
  5        2023612      1        4        1397724      2.41   210      0        423948      6655.83     0.00        6655.83    
  6        2023617      1        3        1399760      2.41   210      0        421516      6665.52     0.00        6665.52    
  7        2023613      1        3        1382098      2.38   210      0        420606      6581.42     0.00        6581.42    
  8        2815754      1        2        880070       1.51   9        0        411312      97785.56    0.00        97785.56   
  9        2023624      1        3        1225516      2.11   218      0        238778      5621.63     0.00        5621.63    
  10       2811429      1        3        264930       0.46   2        2        135122      132465.00   132465.00   0.00       
  11       2822181      1        4        266614       0.46   10       0        117378      26661.40    0.00        26661.40   
  12       2815481      1        6        610234       1.05   9        0        109534      67803.78    0.00        67803.78   
  13       2020825      1        6        226498       0.39   10       0        106758      22649.80    0.00        22649.80   
  14       2023766      1        2        193702       0.33   2        0        98860       96851.00    0.00        96851.00   
  15       2823423      1        3        194658       0.33   2        0        97870       97329.00    0.00        97329.00   
  16       2023083      1        2        224508       0.39   3        0        96826       74836.00    0.00        74836.00   
  17       2018316      1        4        95072        0.16   1        0        95072       95072.00    0.00        95072.00   
  18       2020470      1        6        198224       0.34   10       0        94838       19822.40    0.00        19822.40   
  19       2810991      1        4        181852       0.31   2        0        93358       90926.00    0.00        90926.00   
  20       2821561      1        2        751744       1.29   11       0        91622       68340.36    0.00        68340.36   
  21       2021067      1        2        627958       1.08   11       0        86818       57087.09    0.00        57087.09   
  22       2815363      1        3        145058       0.25   2        0        85520       72529.00    0.00        72529.00   
  23       2015896      1        3        84028        0.14   1        0        84028       84028.00    0.00        84028.00   
  24       2819993      1        2        162392       0.28   2        0        81688       81196.00    0.00        81196.00   
  25       2815480      1        6        136106       0.23   2        0        79318       68053.00    0.00        68053.00   
  26       2814572      1        4        132898       0.23   2        0        77770       66449.00    0.00        66449.00   
  27       2826256      1        2        652150       1.12   14       0        77700       46582.14    0.00        46582.14   
  28       2814883      1        3        147690       0.25   2        0        77406       73845.00    0.00        73845.00   
  29       2816669      1        4        667192       1.15   11       0        74524       60653.82    0.00        60653.82   
  30       2024848      1        2        693266       1.19   11       0        74250       63024.18    0.00        63024.18   
  31       2811280      1        7        522702       0.90   9        0        73890       58078.00    0.00        58078.00   
  32       2014701      1        12       196296       0.34   8        0        72778       24537.00    0.00        24537.00   
  33       2020027      1        3        71218        0.12   1        0        71218       71218.00    0.00        71218.00   
  34       2828955      1        2        139882       0.24   2        0        70142       69941.00    0.00        69941.00   
  35       2022197      1        3        569254       0.98   11       0        69300       51750.36    0.00        51750.36   
  36       2811711      1        2        443962       0.76   11       0        68424       40360.18    0.00        40360.18   
  37       2807925      1        1        530122       0.91   22       0        66222       24096.45    0.00        24096.45   
  38       2021775      1        2        65530        0.11   1        0        65530       65530.00    0.00        65530.00   
  39       2012707      1        5        515524       0.89   13       0        65476       39655.69    0.00        39655.69   
  40       2829848      1        2        110486       0.19   2        0        64496       55243.00    0.00        55243.00   
  41       2809861      1        6        116096       0.20   2        0        63900       58048.00    0.00        58048.00   
  42       2819785      1        2        119326       0.21   2        0        63678       59663.00    0.00        59663.00   
  43       2809816      1        2        581246       1.00   11       0        63566       52840.55    0.00        52840.55   
  44       2018666      1        4        63260        0.11   1        0        63260       63260.00    0.00        63260.00   
  45       2806132      1        3        120756       0.21   2        0        62092       60378.00    0.00        60378.00   
  46       2828060      1        4        111196       0.19   2        0        61800       55598.00    0.00        55598.00   
  47       2814474      1        4        114748       0.20   2        0        61346       57374.00    0.00        57374.00   
  48       2816356      1        2        180656       0.31   3        0        60786       60218.67    0.00        60218.67   
  49       2816394      1        2        447356       0.77   11       0        60390       40668.73    0.00        40668.73   
  50       2816165      1        5        730006       1.26   14       0        60340       52143.29    0.00        52143.29   
  51       2020029      1        2        112750       0.19   2        0        59266       56375.00    0.00        56375.00   
  52       2816055      1        2        106438       0.18   2        0        58618       53219.00    0.00        53219.00   
  53       2019980      1        3        58476        0.10   1        1        58476       58476.00    58476.00    0.00       
  54       2815753      1        2        114026       0.20   2        0        57952       57013.00    0.00        57013.00   
  55       2821148      1        4        527108       0.91   11       0        56744       47918.91    0.00        47918.91   
  56       2020742      1        1        56452        0.10   1        0        56452       56452.00    0.00        56452.00   
  57       2811577      1        2        195530       0.34   8        0        56050       24441.25    0.00        24441.25   
  58       2019230      1        2        150208       0.26   8        0        55728       18776.00    0.00        18776.00   
  59       2811542      1        1        53596        0.09   1        0        53596       53596.00    0.00        53596.00   
  60       2020741      1        1        53472        0.09   1        0        53472       53472.00    0.00        53472.00   
  61       2811544      1        1        148492       0.26   8        0        52678       18561.50    0.00        18561.50   
  62       2017552      1        6        1117836      1.92   38       0        52338       29416.74    0.00        29416.74   
  63       2828986      1        2        100336       0.17   2        0        52146       50168.00    0.00        50168.00   
  64       2826031      1        2        52098        0.09   1        0        52098       52098.00    0.00        52098.00   
  65       2827580      1        7        150718       0.26   13       0        52064       11593.69    0.00        11593.69   
  66       2806921      1        3        420914       0.72   11       0        51990       38264.91    0.00        38264.91   
  67       2017259      1        12       101650       0.17   2        0        51008       50825.00    0.00        50825.00   
  68       2021038      1        4        99460        0.17   2        0        50056       49730.00    0.00        49730.00   
  69       2024771      1        1        156582       0.27   13       0        49794       12044.77    0.00        12044.77   
  70       2019155      1        2        519072       0.89   11       0        49734       47188.36    0.00        47188.36   
  71       2811279      1        7        98372        0.17   2        0        49534       49186.00    0.00        49186.00   
  72       2830036      1        1        410418       0.71   11       0        49136       37310.73    0.00        37310.73   
  73       2826281      1        2        120532       0.21   4        0        43860       30133.00    0.00        30133.00   
  74       2806959      1        2        399900       0.69   11       0        43502       36354.55    0.00        36354.55   
  75       2014704      1        7        416308       0.72   11       0        42668       37846.18    0.00        37846.18   
  76       2820309      1        2        435440       0.75   11       0        41830       39585.45    0.00        39585.45   
  77       2025101      1        1        78922        0.14   2        0        40388       39461.00    0.00        39461.00   
  78       2016537      1        2        713802       1.23   27       0        39952       26437.11    0.00        26437.11   
  79       2022502      1        4        116186       0.20   3        0        39820       38728.67    0.00        38728.67   
  80       2013739      1        15       1001858      1.72   207      0        37830       4839.89     0.00        4839.89    
  81       2014380      1        4        393514       0.68   32       0        37388       12297.31    0.00        12297.31   
  82       2020936      1        3        389400       0.67   11       0        36954       35400.00    0.00        35400.00   
  83       2023618      1        3        982640       1.69   204      0        36346       4816.86     0.00        4816.86    
  84       2023625      1        3        1020402      1.76   211      0        33968       4836.03     0.00        4836.03    
  85       2023626      1        3        1032890      1.78   217      0        30992       4759.86     0.00        4759.86    
  86       2804589      1        3        96438        0.17   13       0        30338       7418.31     0.00        7418.31    
  87       2021053      1        1        74910        0.13   10       0        30190       7491.00     0.00        7491.00    
  88       2022543      1        1        105474       0.18   4        0        30006       26368.50    0.00        26368.50   
  89       2025105      1        2        56774        0.10   2        0        29614       28387.00    0.00        28387.00   
  90       2805442      1        2        788894       1.36   166      0        28968       4752.37     0.00        4752.37    
  91       2810487      1        1        28004        0.05   1        0        28004       28004.00    0.00        28004.00   
  92       2023789      1        1        64318        0.11   4        2        27912       16079.50    27681.00    4478.00    
  93       2803760      1        3        101158       0.17   4        0        27598       25289.50    0.00        25289.50   
  94       2807926      1        3        452048       0.78   22       0        26304       20547.64    0.00        20547.64   
  95       2014703      1        9        116514       0.20   8        0        25420       14564.25    0.00        14564.25   
  96       2014702      1        9        113038       0.19   8        0        24428       14129.75    0.00        14129.75   
  97       2804587      1        2        87556        0.15   13       0        24318       6735.08     0.00        6735.08    
  98       2023619      1        3        986350       1.70   207      0        24086       4764.98     0.00        4764.98    
  99       2009702      1        5        72324        0.12   8        0        23738       9040.50     0.00        9040.50    
  100      2828876      1        1        253206       0.44   45       0        23536       5626.80     0.00        5626.80    
  101      2023614      1        3        1019060      1.75   209      0        23480       4875.89     0.00        4875.89    
  102      2023627      1        3        985196       1.70   211      0        22924       4669.18     0.00        4669.18    
  103      2002911      1        6        74106        0.13   11       0        22384       6736.91     0.00        6736.91    
  104      2023615      1        3        1026994      1.77   209      0        21944       4913.85     0.00        4913.85    
  105      2013926      1        8        103192       0.18   13       0        21744       7937.85     0.00        7937.85    
  106      2025200      1        1        61096        0.11   8        0        21668       7637.00     0.00        7637.00    
  107      2002995      1        10       83104        0.14   11       0        21142       7554.91     0.00        7554.91    
  108      2023616      1        3        946186       1.63   206      0        20600       4593.14     0.00        4593.14    
  109      2023620      1        3        950702       1.64   206      0        20378       4615.06     0.00        4615.06    
  110      2023621      1        4        993792       1.71   209      0        20132       4754.99     0.00        4754.99    
  111      2023623      1        3        980152       1.69   209      0        20040       4689.72     0.00        4689.72    
  112      2016323      1        1        24954        0.04   3        0        14278       8318.00     0.00        8318.00    
  113      2008116      1        4        31316        0.05   5        0        10122       6263.20     0.00        6263.20    
  114      2009243      1        2        18890        0.03   3        0        8742        6296.67     0.00        6296.67    
  115      2019011      1        3        8438         0.01   1        0        8438        8438.00     0.00        8438.00    
  116      2013506      1        1        63368        0.11   11       0        8276        5760.73     0.00        5760.73    
  117      2806561      1        5        65292        0.11   11       0        7806        5935.64     0.00        5935.64    
  118      2100540      1        12       287372       0.49   58       0        7702        4954.69     0.00        4954.69    
  119      2802205      1        3        27066        0.05   5        0        7094        5413.20     0.00        5413.20    
  120      2100566      1        5        17576        0.03   3        0        7034        5858.67     0.00        5858.67    
  121      2827279      1        5        64072        0.11   11       0        6998        5824.73     0.00        5824.73    
  122      2802822      1        1        12068        0.02   2        0        6938        6034.00     0.00        6034.00    
  123      2810795      1        5        58322        0.10   11       0        6898        5302.00     0.00        5302.00    
  124      2102523      1        8        136154       0.23   27       0        6820        5042.74     0.00        5042.74    
  125      2001219      1        20       

This file has been truncated. Go here to download in full.


stats.log - (3377 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 11/25/2019 -- 12:28:31 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 471
decoder.bytes                              | Total                     | 314587
decoder.ipv4                               | Total                     | 371
decoder.ipv6                               | Total                     | 21
decoder.ethernet                           | Total                     | 471
decoder.tcp                                | Total                     | 174
decoder.udp                                | Total                     | 218
decoder.avg_pkt_size                       | Total                     | 667
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 14
flow.udp                                   | Total                     | 36
tcp.sessions                               | Total                     | 14
tcp.syn                                    | Total                     | 16
tcp.synack                                 | Total                     | 14
tcp.rst                                    | Total                     | 1
tcp.overlap                                | Total                     | 6
detect.alert                               | Total                     | 5
detect.mpm_list                            | Total                     | 11
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 12
app_layer.flow.http                        | Total                     | 13
app_layer.tx.http                          | Total                     | 14
app_layer.flow.dns_udp                     | Total                     | 4
app_layer.tx.dns_udp                       | Total                     | 4
app_layer.flow.failed_udp                  | Total                     | 32
flow_mgr.closed_pruned                     | Total                     | 3
flow_mgr.new_pruned                        | Total                     | 12
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 43
flow_mgr.flows_notimeout                   | Total                     | 28
flow_mgr.flows_timeout                     | Total                     | 15
flow_mgr.flows_removed                     | Total                     | 15
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65493
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7086688


eve.json - (25791 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2019-11-21T20:32:49.202475+0000","flow_id":1294498654129246,"pcap_cnt":27,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":49277,"dest_ip":"192.168.240.91","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.91","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:32:49.202703+0000","flow_id":1294498654129246,"pcap_cnt":29,"event_type":"http","src_ip":"192.168.240.87","src_port":49277,"dest_ip":"192.168.240.91","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.91","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:32:49.203888+0000","flow_id":1294498654129246,"pcap_cnt":31,"event_type":"fileinfo","src_ip":"192.168.240.91","src_port":5357,"dest_ip":"192.168.240.87","dest_port":49277,"proto":"TCP","http":{"hostname":"192.168.240.91","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-11-21T20:32:50.475524+0000","flow_id":917963166332506,"pcap_cnt":47,"event_type":"fileinfo","src_ip":"192.168.240.91","src_port":49236,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:32:50.475827+0000","flow_id":917963166332506,"pcap_cnt":49,"event_type":"http","src_ip":"192.168.240.91","src_port":49236,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:32:50.477156+0000","flow_id":917963166332506,"pcap_cnt":51,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":5357,"dest_ip":"192.168.240.91","dest_port":49236,"proto":"TCP","http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-11-21T20:32:52.157840+0000","flow_id":860307525493055,"pcap_cnt":65,"event_type":"fileinfo","src_ip":"192.168.240.216","src_port":49192,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:32:52.157982+0000","flow_id":860307525493055,"pcap_cnt":67,"event_type":"http","src_ip":"192.168.240.216","src_port":49192,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:32:52.158647+0000","flow_id":860307525493055,"pcap_cnt":69,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":5357,"dest_ip":"192.168.240.216","dest_port":49192,"proto":"TCP","http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:31.536258+0000","flow_id":1720035426641269,"pcap_cnt":94,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":49279,"dest_ip":"192.168.240.95","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:31.536433+0000","flow_id":1720035426641269,"pcap_cnt":96,"event_type":"http","src_ip":"192.168.240.87","src_port":49279,"dest_ip":"192.168.240.95","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:33:31.537669+0000","flow_id":1720035426641269,"pcap_cnt":98,"event_type":"fileinfo","src_ip":"192.168.240.95","src_port":5357,"dest_ip":"192.168.240.87","dest_port":49279,"proto":"TCP","http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:37.724393+0000","flow_id":1221243695072915,"pcap_cnt":135,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":49280,"dest_ip":"192.168.240.95","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:37.724533+0000","flow_id":1221243695072915,"pcap_cnt":137,"event_type":"http","src_ip":"192.168.240.87","src_port":49280,"dest_ip":"192.168.240.95","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:33:37.725202+0000","flow_id":1221243695072915,"pcap_cnt":139,"event_type":"fileinfo","src_ip":"192.168.240.95","src_port":5357,"dest_ip":"192.168.240.87","dest_port":49280,"proto":"TCP","http":{"hostname":"192.168.240.95","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:47.105331+0000","flow_id":1844559414532979,"pcap_cnt":148,"event_type":"dns","src_ip":"192.168.240.87","src_port":63515,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20325,"rrname":"myexternalip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-21T20:33:47.106699+0000","flow_id":1844559414532979,"pcap_cnt":149,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":63515,"proto":"UDP","dns":{"type":"answer","id":20325,"rcode":"NOERROR","rrname":"myexternalip.com","rrtype":"A","ttl":333,"rdata":"216.239.32.21"}}
{"timestamp":"2019-11-21T20:33:47.106699+0000","flow_id":1844559414532979,"pcap_cnt":149,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":63515,"proto":"UDP","dns":{"type":"answer","id":20325,"rcode":"NOERROR","rrname":"myexternalip.com","rrtype":"A","ttl":333,"rdata":"216.239.34.21"}}
{"timestamp":"2019-11-21T20:33:47.106699+0000","flow_id":1844559414532979,"pcap_cnt":149,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":63515,"proto":"UDP","dns":{"type":"answer","id":20325,"rcode":"NOERROR","rrname":"myexternalip.com","rrtype":"A","ttl":333,"rdata":"216.239.38.21"}}
{"timestamp":"2019-11-21T20:33:47.106699+0000","flow_id":1844559414532979,"pcap_cnt":149,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":63515,"proto":"UDP","dns":{"type":"answer","id":20325,"rcode":"NOERROR","rrname":"myexternalip.com","rrtype":"A","ttl":333,"rdata":"216.239.36.21"}}
{"timestamp":"2019-11-21T20:33:47.228004+0000","flow_id":662970961721921,"pcap_cnt":156,"event_type":"alert","src_ip":"192.168.240.87","src_port":49281,"dest_ip":"216.239.32.21","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019980,"rev":3,"signature":"ET POLICY Possible IP Check myexternalip.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-11-21T20:33:47.229059+0000","flow_id":662970961721921,"pcap_cnt":157,"event_type":"http","src_ip":"192.168.240.87","src_port":49281,"dest_ip":"216.239.32.21","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"myexternalip.com","url":"\/raw","http_content_type":"text\/html"}}
{"timestamp":"2019-11-21T20:33:47.229059+0000","flow_id":662970961721921,"pcap_cnt":157,"event_type":"fileinfo","src_ip":"216.239.32.21","src_port":80,"dest_ip":"192.168.240.87","dest_port":49281,"proto":"TCP","http":{"hostname":"myexternalip.com","url":"\/raw","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13},"app_proto":"http","fileinfo":{"filename":"\/raw","gaps":false,"state":"CLOSED","stored":false,"size":13,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:46.478258+0000","flow_id":407394637728818,"pcap_cnt":159,"event_type":"alert","src_ip":"192.168.240.87","src_port":56373,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2023789,"rev":1,"signature":"ET TROJAN DustySky Downeks\/Quasar\/other DNS Lookup (gameoolines .com)","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2019-11-21T20:33:46.478258+0000","flow_id":407394637728818,"pcap_cnt":159,"event_type":"dns","src_ip":"192.168.240.87","src_port":56373,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17151,"rrname":"en.gameoolines.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-21T20:33:47.385933+0000","flow_id":407394637728818,"pcap_cnt":160,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":56373,"proto":"UDP","dns":{"type":"answer","id":17151,"rcode":"NOERROR","rrname":"en.gameoolines.com","rrtype":"A","ttl":1199,"rdata":"58.158.177.102"}}
{"timestamp":"2019-11-21T20:33:51.392000+0000","flow_id":345727497375720,"pcap_cnt":167,"event_type":"alert","src_ip":"192.168.240.87","src_port":49282,"dest_ip":"58.158.177.102","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2811429,"rev":3,"signature":"ETPRO TROJAN Downeks CnC Beacon","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-11-21T20:33:51.392000+0000","flow_id":345727497375720,"pcap_cnt":167,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":49282,"dest_ip":"58.158.177.102","dest_port":80,"proto":"TCP","http":{"hostname":"en.gameoolines.com","url":"\/","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":44,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:51.469223+0000","flow_id":345727497375720,"pcap_cnt":168,"event_type":"http","src_ip":"192.168.240.87","src_port":49282,"dest_ip":"58.158.177.102","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"en.gameoolines.com","url":"\/","http_content_type":"text\/html"}}
{"timestamp":"2019-11-21T20:33:51.469223+0000","flow_id":345727497375720,"pcap_cnt":168,"event_type":"fileinfo","src_ip":"58.158.177.102","src_port":80,"dest_ip":"192.168.240.87","dest_port":49282,"proto":"TCP","http":{"hostname":"en.gameoolines.com","url":"\/","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":9},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":9,"tx_id":0}}
{"timestamp":"2019-11-21T20:33:56.133305+0000","flow_id":2139168401787065,"pcap_cnt":170,"event_type":"alert","src_ip":"192.168.240.87","src_port":63723,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2023789,"rev":1,"signature":"ET TROJAN DustySky Downeks\/Quasar\/other DNS Lookup (gameoolines .com)","category":"A Network Trojan was detected","severity":1},"app_proto":"dns"}
{"timestamp":"2019-11-21T20:33:56.133305+0000","flow_id":2139168401787065,"pcap_cnt":170,"event_type":"dns","src_ip":"192.168.240.87","src_port":63723,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32649,"rrname":"en.gameoolines.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-21T20:33:56.199862+0000","flow_id":2139168401787065,"pcap_cnt":171,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":63723,"proto":"UDP","dns":{"type":"answer","id":32649,"rcode":"NOERROR","rrname":"en.gameoolines.com","rrtype":"A","ttl":1199,"rdata":"58.158.177.102"}}
{"timestamp":"2019-11-21T20:34:27.756396+0000","flow_id":1648245051984556,"pcap_cnt":185,"event_type":"dns","src_ip":"192.168.240.87","src_port":56188,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40080,"rrname":"teredo.ipv6.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-11-21T20:34:29.050539+0000","flow_id":1648245051984556,"pcap_cnt":186,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":56188,"proto":"UDP","dns":{"type":"answer","id":40080,"rcode":"NXDOMAIN","rrname":"teredo.ipv6.microsoft.com"}}
{"timestamp":"2019-11-21T20:34:29.050539+0000","flow_id":1648245051984556,"pcap_cnt":186,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.87","dest_port":56188,"proto":"UDP","dns":{"type":"answer","id":40080,"rcode":"NXDOMAIN","rrname":"ipv6.microsoft.com","rrtype":"SOA","ttl":84}}
{"timestamp":"2019-11-21T20:34:34.859189+0000","flow_id":745975502737262,"pcap_cnt":198,"event_type":"fileinfo","src_ip":"192.168.240.235","src_port":49195,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-11-21T20:34:34.859473+0000","flow_id":745975502737262,"pcap_cnt":200,"event_type":"http","src_ip":"192.168.240.235","src_port":49195,"dest_ip":"192.168.240.87","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.87","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-11-21T20:34:34.861115+0000","flow_id":745975502737262,"pcap_cnt":202,"event_type":"fileinfo","src_ip":"192.168.240.87","src_port":5

This file has been truncated. Go here to download in full.


unified2.alert.1574684909 - (2764 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
4]Öô«z¤Ҍ!À¨ðWØï ÀPŒ]Öô«]Öô«z¤pEb’À¨ðWØï ÀPP¿ GET /raw HTTP/1.1
Host: myexternalip.com
Accept: */*

4]ÖôªL2ámÀ¨ðWÜ55j]Öôª]ÖôªL2N^
'G{ñE@€q—À¨ðWÜ55,K0Bÿengameoolinescom4]Öô¯û@*æ%À¨ðW:ž±fÀ‚Pý]Öô¯]Öô¯û@áEÓ!À¨ðW:ž±fÀ‚PP4POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=4]Öô´¹ámÀ¨ðWøë5j]Öô´]Öô´¹N^
'G{ñE@€q‘À¨ðWøë5,ñï‰engameoolinescom4]Öõ#ß*æ%À¨ðW:ž±fÀƒPý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=ý]Öõ#]Öõ#ßáEÓ!À¨ðW:ž±fÀƒPP3POST / HTTP/1.1
Host: en.gameoolines.com
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

QEr4QLmQxJCu7CETeKFadA5tkaVT9ixOcFal4BjCiWY=


suricata-4.0.0-etpro-all-alert-2019-11-25-T-12-28-31-11252019.1228-44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap.txt - (1052 bytes) - download
1
2
3
4
5
11/21/2019-20:33:47.228004  [**] [1:2019980:3] ET POLICY Possible IP Check myexternalip.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.240.87:49281 -> 216.239.32.21:80
11/21/2019-20:33:46.478258  [**] [1:2023789:1] ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.240.87:56373 -> 8.8.8.8:53
11/21/2019-20:33:51.392000  [**] [1:2811429:3] ETPRO TROJAN Downeks CnC Beacon [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.87:49282 -> 58.158.177.102:80
11/21/2019-20:33:56.133305  [**] [1:2023789:1] ET TROJAN DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.240.87:63723 -> 8.8.8.8:53
11/21/2019-20:35:47.057093  [**] [1:2811429:3] ETPRO TROJAN Downeks CnC Beacon [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.87:49283 -> 58.158.177.102:80


keyword_perf.log - (13175 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/25/2019 -- 12:28:31
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             2866596         414             414             428342          6924.00         6924.00         0.00           
  content          5992228         851             417             417804          7041.00         7912.00         6204.00        
  pcre             733990          52              2               57226           14115.00        20664.00        13853.00       
  byte_test        380306          63              40              37416           6036.00         6669.00         4935.00        
  byte_jump        25378           2               0               18826           12689.00        0.00            12689.00       
  isdataat         19766           4               0               5568            4941.00         0.00            4941.00        
  urilen           684670          56              40              357022          12226.00        15045.00        5177.00        
  byte_extract     18880           2               2               13030           9440.00         9440.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             2866596         414             414             428342          6924.00         6924.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2033088         281             144             417804          7235.00         8842.00         5545.00        
  pcre             189784          9               0               54426           21087.00        0.00            21087.00       
  byte_test        380306          63              40              37416           6036.00         6669.00         4935.00        
  byte_jump        25378           2               0               18826           12689.00        0.00            12689.00       
  isdataat         19766           4               0               5568            4941.00         0.00            4941.00        
  byte_extract     18880           2               2               13030           9440.00         9440.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          668544          102             36              23786           6554.00         6731.00         6457.00        
  pcre             204118          13              0               57226           15701.00        0.00            15701.00       
  urilen           684670          56              40              357022          12226.00        15045.00        5177.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          896092          115             22              22246           7792.00         12914.00        6580.00        
  pcre             41328           2               2               32810           20664.00        20664.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          70474           13              0               6996            5421.00         0.00            5421.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6196            1               0               6196            6196.00         0.00            6196.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1806810         258             167             25302           7003.00         7156.00         6721.00        
  pcre             298760          28              0               43836           10670.00        0.00            10670.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          198456          29              15              9612            6843.00         6787.00         6903.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          57256           11              0               5664            5205.00         0.00            5205.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          48874           8               8               6964            6109.00         6109.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12328           2               2               6252            6164.00         6164.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          133964          22              22              8234            6089.00         6089.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22460           3               1               7724            7486.00         7666.00         7397.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23086           4               0               6400            5771.00         0.00            5771.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          14600           2               0               8204            7300.00         0.00            7300.00        


IDSDeathBlossom.py.log - (1211 bytes) - download
1
2
3
4
5
6
7
8
2019-11-25 12:28:04,184 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-11-25 12:28:04,984 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-11-25 12:28:04,985 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-11-25 12:28:04,985 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-11-25 12:28:04,986 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-11-25 12:28:04,986 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/a672c8a5b9a15d6823a6697fb6c9c76e56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11252019.1228-44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a_network.pcap -vvv -k none
2019-11-25 12:28:31,391 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-11-25 12:28:31,392 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 27.217400074