Filename: 2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.04759693146 seconds
Hash: ab04ae8d771db6e2b352d391bfb248ea
Uploaded: 1554297097

Logfiles


packet_stats.log - (8855 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           162           108161       53793661      36884715          6.0b   98.94
 IPv4      17             4         13079953       18852742      15989403         64.0m    1.06
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           162            68039        8034862        271679         44.0m   66.49
TMM_FLOWWORKER              IPv4      17             4           307138         915995        490421          2.0m    2.96
TMM_RECEIVEPCAPFILE         IPv4       6           159             2541       19220572        123887         19.7m   29.76
TMM_RECEIVEPCAPFILE         IPv4      17             4             2840          10370          4790         19.2k    0.03
TMM_DECODEPCAPFILE          IPv4       6           159             2662          26532          3007        478.2k    0.72
TMM_DECODEPCAPFILE          IPv4      17             4             2947          14332          5805         23.2k    0.04

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           159             2829          32493          3306        525.7k  1.24  
flow                    IPv4      17             4             3211          10327          6322         25.3k  0.06  
stream                  IPv4       6           162             2729         388093         18528          3.0m  7.11  
app-layer               IPv4      17             4            10348          36182         19971         79.9k  0.19  
detect                  IPv4       6           162            45139        7996039        227525         36.9m  87.29 
detect                  IPv4      17             4           242969         454083        311467          1.2m  2.95  
tcp-prune               IPv4       6           162             2546          15135          3022        489.7k  1.16  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
tls                     IPv4       6             4             2633           6036          3633         14.5k  34.90 
dns                     IPv4      17             4             4513          10917          6777         27.1k  65.10 
Proto detect            IPv4      17             4             7316          13849         10582         42.3k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_DNS             IPv4      17             4            36705         388714        134122        536.5k  86.54 
LOGGER_JSON_TLS             IPv4       6             2            34723          48750         41736         83.5k  13.46 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            21             2584         417429         49755         1.0m  10.84 
payload                           IPv4      17             4            19749          27535         23220        92.9k  0.96  
stream                            IPv4       6            21             2551        7763868        400932         8.4m  87.34 
dns_query                         IPv4      17             2             7321          11120          9220        18.4k  0.19  
tls_sni                           IPv4       6             4             2965           8336          5287        21.1k  0.22  
tls_cert_issuer                   IPv4       6             2             7933          13888         10910        21.8k  0.23  
tls_cert_subject                  IPv4       6             2             5151           6561          5856        11.7k  0.12  
tls_cert_serial                   IPv4       6             2             4536           5509          5022        10.0k  0.10  
Total                             IPv4                    58                                        166215         9.6m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4            10096          30796         19481         77.9k  0.17  
PROF_DETECT_IPONLY          IPv4      17             4            19666          43173         28718        114.9k  0.26  
PROF_DETECT_RULES           IPv4       6           162             2538        1628587         20435          3.3m  7.36  
PROF_DETECT_RULES           IPv4      17             4            99976         236418        154974        619.9k  1.38  
PROF_DETECT_STATEFUL_START    IPv4       6             1           521917         521917        521917        521.9k  1.16  
PROF_DETECT_STATEFUL_CONT    IPv4       6           162             2546        5031332         82766         13.4m  29.82 
PROF_DETECT_STATEFUL_CONT    IPv4      17             4             4159          39772         13162         52.6k  0.12  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6           154             2556          14435          2688        414.1k  0.92  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             2842           3341          3031         12.1k  0.03  
PROF_DETECT_PREFILTER       IPv4       6           162             7816        7841433         77583         12.6m  27.95 
PROF_DETECT_PREFILTER       IPv4      17             4            50916          72353         62451        249.8k  0.56  
PROF_DETECT_PF_PAYLOAD      IPv4       6            21            17643        7815170        461927          9.7m  21.57 
PROF_DETECT_PF_PAYLOAD      IPv4      17             4            25118          32729         28428        113.7k  0.25  
PROF_DETECT_PF_TX           IPv4       6           154             2648          36023          3434        528.9k  1.18  
PROF_DETECT_PF_TX           IPv4      17             2            12974          17288         15131         30.3k  0.07  
PROF_DETECT_PF_SORT1        IPv4       6            20             2601           5176          3122         62.4k  0.14  
PROF_DETECT_PF_SORT1        IPv4      17             4             3227           3544          3400         13.6k  0.03  
PROF_DETECT_PF_SORT2        IPv4       6           162             2524         385047          4992        808.8k  1.80  
PROF_DETECT_PF_SORT2        IPv4      17             4             3181           3549          3355         13.4k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       6           162             2534         418776          5605        908.2k  2.02  
PROF_DETECT_NONMPMLIST      IPv4      17             4             2907           3964          3240         13.0k  0.03  
PROF_DETECT_ALERT           IPv4       6           162             2527          14824          2688        435.5k  0.97  
PROF_DETECT_ALERT           IPv4      17             4             2547           4226          3043         12.2k  0.03  
PROF_DETECT_CLEANUP         IPv4       6           162             2570          10256          2787        451.6k  1.00  
PROF_DETECT_CLEANUP         IPv4      17             4             3152           4941          3797         15.2k  0.03  
PROF_DETECT_GETSGH          IPv4       6           162             2529          15158          2978        482.6k  1.07  
PROF_DETECT_GETSGH          IPv4      17             4             5782           6196          5920         23.7k  0.05  


suricata-4.0.0-etopen-all-perf.txt-2019-04-03-T-13-11-46-04032019.1311-2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap.txt - (8277 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
  --------------------------------------------------------------------------
  Date: 4/3/2019 -- 13:11:46. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2025190      1        1        5678192      42.69  80       0        4951370     70977.40    0.00        70977.40   
  2        2025193      1        1        1077553      8.10   80       0        409405      13469.41    0.00        13469.41   
  3        2024227      1        3        1124111      8.45   80       0        395689      14051.39    0.00        14051.39   
  4        2025189      1        1        1063115      7.99   80       0        392192      13288.94    0.00        13288.94   
  5        2025194      1        1        1098475      8.26   80       0        390281      13730.94    0.00        13730.94   
  6        2025191      1        1        1073062      8.07   80       0        389342      13413.27    0.00        13413.27   
  7        2021749      1        6        431472       3.24   2        0        229875      215736.00   0.00        215736.00  
  8        2018005      1        6        193669       1.46   3        0        95327       64556.33    0.00        64556.33   
  9        2025330      1        1        84126        0.63   1        0        84126       84126.00    0.00        84126.00   
  10       2024720      1        3        70737        0.53   1        0        70737       70737.00    0.00        70737.00   
  11       2009702      1        5        67802        0.51   4        0        40603       16950.50    0.00        16950.50   
  12       2025192      1        1        684254       5.14   80       0        26284       8553.17     0.00        8553.17    
  13       2014701      1        12       47480        0.36   4        0        22104       11870.00    0.00        11870.00   
  14       2019602      1        1        20806        0.16   1        0        20806       20806.00    0.00        20806.00   
  15       2018057      1        4        20224        0.15   1        0        20224       20224.00    0.00        20224.00   
  16       2020695      1        1        19446        0.15   1        0        19446       19446.00    0.00        19446.00   
  17       2020610      1        3        19345        0.15   1        0        19345       19345.00    0.00        19345.00   
  18       2022543      1        1        31950        0.24   2        0        16332       15975.00    0.00        15975.00   
  19       2014703      1        9        35665        0.27   4        0        15159       8916.25     0.00        8916.25    
  20       2019230      1        2        18661        0.14   2        0        15125       9330.50     0.00        9330.50    
  21       2018375      1        3        26610        0.20   2        0        14999       13305.00    0.00        13305.00   
  22       2014702      1        9        34467        0.26   4        0        14789       8616.75     0.00        8616.75    
  23       2018382      1        8        8787         0.07   2        0        5524        4393.50     0.00        4393.50    
  24       2018789      1        3        12169        0.09   3        0        5441        4056.33     0.00        4056.33    
  25       2025200      1        1        14302        0.11   4        0        4056        3575.50     0.00        3575.50    
  26       2009387      1        4        9947         0.07   3        0        3990        3315.67     0.00        3315.67    
  27       2019809      1        2        12967        0.10   4        0        3921        3241.75     0.00        3241.75    
  28       2023622      1        3        6476         0.05   2        0        3860        3238.00     0.00        3238.00    
  29       2100327      1        10       7226         0.05   2        0        3772        3613.00     0.00        3613.00    
  30       2021151      1        1        8684         0.07   3        0        3585        2894.67     0.00        2894.67    
  31       2001330      1        8        34612        0.26   12       0        3548        2884.33     0.00        2884.33    
  32       2018281      1        4        6487         0.05   2        0        3489        3243.50     0.00        3243.50    
  33       2008120      1        4        11818        0.09   4        0        3470        2954.50     0.00        2954.50    
  34       2024777      1        2        14982        0.11   5        0        3463        2996.40     0.00        2996.40    
  35       2009243      1        2        6754         0.05   2        0        3423        3377.00     0.00        3377.00    
  36       2010140      1        7        6380         0.05   2        0        3341        3190.00     0.00        3190.00    
  37       2023626      1        3        5863         0.04   2        0        3316        2931.50     0.00        2931.50    
  38       2021976      1        2        6069         0.05   2        0        3308        3034.50     0.00        3034.50    
  39       2015986      1        5        16763        0.13   6        0        3293        2793.83     0.00        2793.83    
  40       2102190      1        5        19908        0.15   7        0        3281        2844.00     0.00        2844.00    
  41       2023624      1        3        11615        0.09   4        0        3279        2903.75     0.00        2903.75    
  42       2010143      1        3        6218         0.05   2        0        3271        3109.00     0.00        3109.00    
  43       2022547      1        1        28123        0.21   10       0        3252        2812.30     0.00        2812.30    
  44       2018373      1        3        6063         0.05   2        0        3227        3031.50     0.00        3031.50    
  45       2103158      1        6        23435        0.18   8        0        3185        2929.38     0.00        2929.38    
  46       2023627      1        3        5830         0.04   2        0        3184        2915.00     0.00        2915.00    
  47       2103159      1        4        11581        0.09   4        0        3153        2895.25     0.00        2895.25    
  48       2018624      1        5        3139         0.02   1        0        3139        3139.00     0.00        3139.00    
  49       2102523      1        8        6250         0.05   2        0        3135        3125.00     0.00        3125.00    
  50       2017935      1        3        6059         0.05   2        0        3126        3029.50     0.00        3029.50    
  51       2023615      1        3        3115         0.02   1        0        3115        3115.00     0.00        3115.00    
  52       2021978      1        6        5681         0.04   2        0        3113        2840.50     0.00        2840.50    
  53       2008118      1        3        6133         0.05   2        0        3091        3066.50     0.00        3066.50    
  54       2008306      1        3        11101        0.08   4        0        3076        2775.25     0.00        2775.25    
  55       2024775      1        1        3054         0.02   1        0        3054        3054.00     0.00        3054.00    
  56       2102523      1        8        6022         0.05   2        0        3027        3011.00     0.00        3011.00    
  57       2010142      1        4        5630         0.04   2        0        2920        2815.00     0.00        2815.00    
  58       2018377      1        3        5404         0.04   2        0        2868        2702.00     0.00        2702.00    
  59       2023617      1        3        5221         0.04   2        0        2663        2610.50     0.00        2610.50    
  60       2013075      1        8        5187         0.04   2        0        2616        2593.50     0.00        2593.50    
  61       2103238      1        4        5075         0.04   2        0        2543        2537.50     0.00        2537.50    


stats.log - (2307 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
------------------------------------------------------------------------------------
Date: 4/3/2019 -- 13:11:46 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 163
decoder.bytes                              | Total                     | 128315
decoder.ipv4                               | Total                     | 163
decoder.ethernet                           | Total                     | 163
decoder.tcp                                | Total                     | 159
decoder.udp                                | Total                     | 4
decoder.avg_pkt_size                       | Total                     | 787
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 2
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.rst                                    | Total                     | 1
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 1
app_layer.flow.tls                         | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (1860 bytes) - download
1
2
3
4
5
6
{"timestamp":"2018-01-25T17:30:47.376330+0000","flow_id":63645313121802,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.25.101","src_port":57837,"dest_ip":"10.1.25.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8801,"rrname":"pinksflorists.co.uk","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-25T17:30:47.403713+0000","flow_id":63645313121802,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.25.1","src_port":53,"dest_ip":"10.1.25.101","dest_port":57837,"proto":"UDP","dns":{"type":"answer","id":8801,"rcode":"NOERROR","rrname":"pinksflorists.co.uk","rrtype":"A","ttl":13227,"rdata":"212.53.86.219"}}
{"timestamp":"2018-01-25T17:30:47.840411+0000","flow_id":642407188606457,"pcap_cnt":13,"event_type":"tls","src_ip":"10.1.25.101","src_port":49289,"dest_ip":"212.53.86.219","dest_port":443,"proto":"TCP","tls":{"subject":"CN=www.pinksflorists.co.uk","issuerdn":"C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA"}}
{"timestamp":"2018-01-25T17:31:31.009811+0000","flow_id":256547329615443,"pcap_cnt":29,"event_type":"dns","src_ip":"10.1.25.101","src_port":58412,"dest_ip":"10.1.25.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48202,"rrname":"revolutioncomponents.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-25T17:31:31.251196+0000","flow_id":256547329615443,"pcap_cnt":30,"event_type":"dns","src_ip":"10.1.25.1","src_port":53,"dest_ip":"10.1.25.101","dest_port":58412,"proto":"UDP","dns":{"type":"answer","id":48202,"rcode":"NOERROR","rrname":"revolutioncomponents.com","rrtype":"A","ttl":300,"rdata":"43.245.53.30"}}
{"timestamp":"2018-01-25T17:31:31.697869+0000","flow_id":1632513117379222,"pcap_cnt":40,"event_type":"tls","src_ip":"10.1.25.101","src_port":49291,"dest_ip":"43.245.53.30","dest_port":443,"proto":"TCP","tls":{"subject":"CN=revolutioncomponents.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}


suricata-report-2019-04-03-T-13-11-46-04032019.1311-2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap.txt - (18061 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/ab04ae8d771db6e2b352d391bfb248ead2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/04032019.1311-2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap -vvv -k none
elapsedtime:8.148069
stderr:
3/4/2019 -- 13:11:44 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 truncated dump file; tried to read 1342 captured bytes, only got 109
stdout:
3/4/2019 -- 13:11:37 - <Info> - Configuration node 'rule-files' redefined.
3/4/2019 -- 13:11:37 - <Notice> - This is Suricata version 4.0.0 RELEASE
3/4/2019 -- 13:11:37 - <Info> - CPUs/cores online: 1
3/4/2019 -- 13:11:37 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32237 and 'request-body-inspect-window' set to 15594 after randomization.
3/4/2019 -- 13:11:37 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34145 and 'response-body-inspect-window' set to 17103 after randomization.
3/4/2019 -- 13:11:37 - <Config> - DNS request flood protection level: 500
3/4/2019 -- 13:11:37 - <Config> - DNS per flow memcap (state-memcap): 524288
3/4/2019 -- 13:11:37 - <Config> - DNS global memcap: 16777216
3/4/2019 -- 13:11:37 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
3/4/2019 -- 13:11:37 - <Config> - preallocated 1000 hosts of size 136
3/4/2019 -- 13:11:37 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
3/4/2019 -- 13:11:37 - <Config> - using magic-file /usr/share/file/magic
3/4/2019 -- 13:11:37 - <Config> - Core dump size is unlimited.
3/4/2019 -- 13:11:37 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
3/4/2019 -- 13:11:37 - <Config> - preallocated 1000 defrag trackers of size 168
3/4/2019 -- 13:11:37 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
3/4/2019 -- 13:11:38 - <Config> - stream "prealloc-sessions": 2048 (per thread)
3/4/2019 -- 13:11:38 - <Config> - stream "memcap": 33554432
3/4/2019 -- 13:11:38 - <Config> - stream "midstream" session pickups: disabled
3/4/2019 -- 13:11:38 - <Config> - stream "async-oneside": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "checksum-validation": disabled
3/4/2019 -- 13:11:38 - <Config> - stream."inline": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "bypass": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "max-synack-queued": 5
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "memcap": 134217728
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "depth": 0
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "toserver-chunk-size": 2564
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "toclient-chunk-size": 2498
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly.raw: enabled
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "segment-prealloc": 2048
3/4/2019 -- 13:11:38 - <Config> - Delayed detect disabled
3/4/2019 -- 13:11:38 - <Config> - pattern matchers: MPM: ac, SPM: bm
3/4/2019 -- 13:11:38 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
3/4/2019 -- 13:11:38 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
3/4/2019 -- 13:11:38 - <Config> - prefilter engines: MPM
3/4/2019 -- 13:11:38 - <Config> - IP reputation disabled
3/4/2019 -- 13:11:38 - <Perf> - Registered 148 keyword profiling counters.
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
3/4/2019 -- 13:11:39 - <Config> - No rules loaded from ET-emerging-icmp.rules.
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
3/4/2019 -- 13:11:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
3/4/2019 -- 13:11:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
3/4/2019 -- 13:11:42 - <Config> - No rules loaded from local.rules.
3/4/2019 -- 13:11:42 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
3/4/2019 -- 13:11:42 - <Info> - Threshold config parsed: 0 rule(s) found
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tcp-packet
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tcp-stream
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for udp-packet
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for other-ip
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_uri
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_client_body
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept_enc
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept_lang
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_referer
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_connection
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_method
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_uri
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_user_agent
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_host
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_host
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_stat_msg
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_stat_code
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dns_query
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_sni
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_issuer
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_subject
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_serial
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:11:42 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
3/4/2019 -- 13:11:42 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
3/4/2019 -- 13:11:42 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
3/4/2019 -- 13:11:42 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
3/4/2019 -- 13:11:42 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
3/4/2019 -- 13:11:42 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
3/4/2019 -- 13:11:42 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
3/4/2019 -- 13:11:42 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
3/4/2019 -- 13:11:43 - <Perf> - Unique rule groups: 111
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver TCP packet": 31
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient TCP packet": 20
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver TCP stream": 31
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient TCP stream": 21
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver UDP packet": 33
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient UDP packet": 15
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "other IP packet": 2
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_uri": 8
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_request_line": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_client_body": 6
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_response_line": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_header": 6
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_header": 3
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_header_names": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_accept": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_referer": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_content_len": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_content_type": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_content_type": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_start": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_method": 3
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_cookie": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_cookie": 2
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_host": 2
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver dns_query": 4
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver tls_sni": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver file_data": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient file_data": 5
3/4/2019 -- 13:11:44 - <Perf> - Registered 18241 rule profiling counters.
3/4/2019 -- 13:11:44 - <Info> - fast output device (regular) initialized: alert
3/4/2019 -- 13:11:44 - <Info> - eve-log output device (regular) initialized: eve.json
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'alert'
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'http'
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'dns'
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'tls'
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'files'
3/4/2019 -- 13:11:44 - <Config> - enabling 'eve-log' module 'ssh'
3/4/2019 -- 13:11:44 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
3/4/2019 -- 13:11:44 - <Info> - st

This file has been truncated. Go here to download in full.


keyword_perf.log - (4753 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/3/2019 -- 13:11:46
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             23809           7               7               4636            3401.00         3401.00         0.00           
  content          3165981         672             46              386476          4711.00         12141.00        4165.00        
  pcre             49545           10              0               20717           4954.00         0.00            4954.00        
  byte_test        49817           16              7               5282            3113.00         3453.00         2849.00        
  byte_jump        13303           4               0               3987            3325.00         0.00            3325.00        
  isdataat         5665            2               0               2849            2832.00         0.00            2832.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             23809           7               7               4636            3401.00         3401.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          336152          105             39              7327            3201.00         3826.00         2832.00        
  pcre             49545           10              0               20717           4954.00         0.00            4954.00        
  byte_test        49817           16              7               5282            3113.00         3453.00         2849.00        
  byte_jump        13303           4               0               3987            3325.00         0.00            3325.00        
  isdataat         5665            2               0               2849            2832.00         0.00            2832.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_issuer
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          409290          7               7               386476          58470.00        58470.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2420539         560             0               386400          4322.00         0.00            4322.00        


IDSDeathBlossom.py.log - (19658 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
2019-04-03 13:11:37,259 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-04-03 13:11:37,970 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-04-03 13:11:37,970 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-04-03 13:11:37,970 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-04-03 13:11:37,971 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-04-03 13:11:37,971 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/ab04ae8d771db6e2b352d391bfb248ead2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/04032019.1311-2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap -vvv -k none
2019-04-03 13:11:46,127 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
3/4/2019 -- 13:11:44 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 truncated dump file; tried to read 1342 captured bytes, only got 109
2019-04-03 13:11:46,128 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-04-03 13:11:46,128 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/ab04ae8d771db6e2b352d391bfb248ead2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/04032019.1311-2018-01-25-Dridex-malspam-infection-traffic-2-of-2.pcap -vvv -k none; returncode:0; elapsed:8.148069; Errors:
- 3/4/2019 -- 13:11:44 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 truncated dump file; tried to read 1342 captured bytes, only got 109

 Warnings:
None
 stderr:
3/4/2019 -- 13:11:44 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 truncated dump file; tried to read 1342 captured bytes, only got 109

 stdout:
3/4/2019 -- 13:11:37 - <Info> - Configuration node 'rule-files' redefined.
3/4/2019 -- 13:11:37 - <Notice> - This is Suricata version 4.0.0 RELEASE
3/4/2019 -- 13:11:37 - <Info> - CPUs/cores online: 1
3/4/2019 -- 13:11:37 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32237 and 'request-body-inspect-window' set to 15594 after randomization.
3/4/2019 -- 13:11:37 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34145 and 'response-body-inspect-window' set to 17103 after randomization.
3/4/2019 -- 13:11:37 - <Config> - DNS request flood protection level: 500
3/4/2019 -- 13:11:37 - <Config> - DNS per flow memcap (state-memcap): 524288
3/4/2019 -- 13:11:37 - <Config> - DNS global memcap: 16777216
3/4/2019 -- 13:11:37 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
3/4/2019 -- 13:11:37 - <Config> - preallocated 1000 hosts of size 136
3/4/2019 -- 13:11:37 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
3/4/2019 -- 13:11:37 - <Config> - using magic-file /usr/share/file/magic
3/4/2019 -- 13:11:37 - <Config> - Core dump size is unlimited.
3/4/2019 -- 13:11:37 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
3/4/2019 -- 13:11:37 - <Config> - preallocated 1000 defrag trackers of size 168
3/4/2019 -- 13:11:37 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
3/4/2019 -- 13:11:38 - <Config> - stream "prealloc-sessions": 2048 (per thread)
3/4/2019 -- 13:11:38 - <Config> - stream "memcap": 33554432
3/4/2019 -- 13:11:38 - <Config> - stream "midstream" session pickups: disabled
3/4/2019 -- 13:11:38 - <Config> - stream "async-oneside": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "checksum-validation": disabled
3/4/2019 -- 13:11:38 - <Config> - stream."inline": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "bypass": disabled
3/4/2019 -- 13:11:38 - <Config> - stream "max-synack-queued": 5
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "memcap": 134217728
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "depth": 0
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "toserver-chunk-size": 2564
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "toclient-chunk-size": 2498
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly.raw: enabled
3/4/2019 -- 13:11:38 - <Config> - stream.reassembly "segment-prealloc": 2048
3/4/2019 -- 13:11:38 - <Config> - Delayed detect disabled
3/4/2019 -- 13:11:38 - <Config> - pattern matchers: MPM: ac, SPM: bm
3/4/2019 -- 13:11:38 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
3/4/2019 -- 13:11:38 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
3/4/2019 -- 13:11:38 - <Config> - prefilter engines: MPM
3/4/2019 -- 13:11:38 - <Config> - IP reputation disabled
3/4/2019 -- 13:11:38 - <Perf> - Registered 148 keyword profiling counters.
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
3/4/2019 -- 13:11:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
3/4/2019 -- 13:11:39 - <Config> - No rules loaded from ET-emerging-icmp.rules.
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
3/4/2019 -- 13:11:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
3/4/2019 -- 13:11:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
3/4/2019 -- 13:11:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
3/4/2019 -- 13:11:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
3/4/2019 -- 13:11:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
3/4/2019 -- 13:11:42 - <Config> - No rules loaded from local.rules.
3/4/2019 -- 13:11:42 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
3/4/2019 -- 13:11:42 - <Info> - Threshold config parsed: 0 rule(s) found
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tcp-packet
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tcp-stream
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for udp-packet
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for other-ip
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_uri
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_client_body
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept_enc
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_accept_lang
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_referer
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_connection
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_method
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_uri
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_user_agent
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_host
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_raw_host
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_stat_msg
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_stat_code
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dns_query
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_sni
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_issuer
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_subject
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for tls_cert_serial
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:11:42 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:11:42 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
3/4/2019 -- 13:11:42 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
3/4/2019 -- 13:11:42 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
3/4/2019 -- 13:11:42 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
3/4/2019 -- 13:11:42 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
3/4/2019 -- 13:11:42 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
3/4/2019 -- 13:11:42 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
3/4/2019 -- 13:11:42 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
3/4/2019 -- 13:11:43 - <Perf> - Unique rule groups: 111
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver TCP packet": 31
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient TCP packet": 20
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver TCP stream": 31
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient TCP stream": 21
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toserver UDP packet": 33
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "toclient UDP packet": 15
3/4/2019 -- 13:11:43 - <Perf> - Builtin MPM "other IP packet": 2
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_uri": 8
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_request_line": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_client_body": 6
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_response_line": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_header": 6
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_header": 3
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_header_names": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_accept": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_referer": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_content_len": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_content_type": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_content_type": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_start": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_method": 3
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toserver http_cookie": 1
3/4/2019 -- 13:11:43 - <Perf> - AppLayer MPM "toclient h

This file has been truncated. Go here to download in full.