Filename: pcap (1).pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.2440052032 seconds
Hash: b440eff752ea79b3bfd83f866641c26b
Uploaded: 1545658997

Logfiles


suricata-4.0.0-etpro-all-alert-2018-12-24-T-13-43-40-12242018.1343-pcap_1.pcap.txt - (855 bytes) - download
1
2
3
4
12/13/2018-16:52:33.433743  [**] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.56.107:50089 -> 192.168.56.1:53
12/13/2018-16:52:33.802004  [**] [1:2011227:5] ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.56.107:49167 -> 192.168.56.1:80
12/13/2018-16:52:33.802004  [**] [1:2016777:12] ET INFO HTTP Request to a *.pw domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.107:49167 -> 192.168.56.1:80
12/13/2018-16:52:33.802402  [**] [1:2017363:2] ET INFO InetSim Response from External Source Possible SinkHole [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.56.1:80 -> 192.168.56.107:49167


packet_stats.log - (14221 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       2            14         29733808       82838723      47173541        660.4m    7.88
 IPv4       6            10         55148124       61385612      57255347        572.6m    6.83
 IPv4      17           122         29175711       95433537      58563792          7.1b   85.28
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       2            14            89380         497566        127601          1.8m    2.64
TMM_FLOWWORKER              IPv4       6            10            70857        3471452        638073          6.4m    9.42
TMM_FLOWWORKER              IPv4      17           122           119655        9946653        481216         58.7m   86.67
TMM_RECEIVEPCAPFILE         IPv4       2            14             2540          10841          3428         48.0k    0.07
TMM_RECEIVEPCAPFILE         IPv4       6            10             2774           3302          2896         29.0k    0.04
TMM_RECEIVEPCAPFILE         IPv4      17           122             2555           4198          2857        348.7k    0.51
TMM_DECODEPCAPFILE          IPv4       2            14             2645           3664          2859         40.0k    0.06
TMM_DECODEPCAPFILE          IPv4       6            10             2833           8791          3627         36.3k    0.05
TMM_DECODEPCAPFILE          IPv4      17           122             2660          14166          2943        359.1k    0.53

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            10             3001           4394          3488         34.9k  0.06  
flow                    IPv4      17           122             2785         384315          8009        977.1k  1.66  
stream                  IPv4       6            10             4599         331652         59172        591.7k  1.01  
app-layer               IPv4      17           122             2523         403095         10714          1.3m  2.22  
detect                  IPv4       2            14            83730         490859        121833          1.7m  2.90  
detect                  IPv4       6            10            46071        3062602        509053          5.1m  8.65  
detect                  IPv4      17           122           103223        9923007        402706         49.1m  83.45 
tcp-prune               IPv4       6            10             2566          10748          3802         38.0k  0.06  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            10990          10990         10990         11.0k  4.99  
dns                     IPv4      17            39             3827          16130          5365        209.2k  95.01 
Proto detect            IPv4      17            46             3017         389580         31186          1.4m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             2            23838          60018         41928         83.9k  1.71  
LOGGER_ALERT_FAST           IPv4      17             1            48020          48020         48020         48.0k  0.98  
LOGGER_UNIFIED2             IPv4       6             2            21254          41201         31227         62.5k  1.27  
LOGGER_UNIFIED2             IPv4      17             1           160561         160561        160561        160.6k  3.27  
LOGGER_JSON_ALERT           IPv4       6             2            41524          93889         67706        135.4k  2.76  
LOGGER_JSON_ALERT           IPv4      17             1            61724          61724         61724         61.7k  1.26  
LOGGER_JSON_DNS             IPv4      17            38            31855         952483        110551          4.2m  85.58 
LOGGER_JSON_HTTP            IPv4       6             1            58347          58347         58347         58.3k  1.19  
LOGGER_JSON_FILE            IPv4       6             1            97469          97469         97469         97.5k  1.99  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6             5             2933         219089         92837       464.2k  10.87 
payload                           IPv4      17           122             3270         462958         24278         3.0m  69.36 
stream                            IPv4       6             5             2606         147729         48846       244.2k  5.72  
http_uri                          IPv4       6             1            19248          19248         19248        19.2k  0.45  
http_request_line                 IPv4       6             1            11950          11950         11950        11.9k  0.28  
http_client_body                  IPv4       6             1             3852           3852          3852         3.9k  0.09  
http_header (request)             IPv4       6             1           121052         121052        121052       121.1k  2.83  
http_header (request trailer)     IPv4       6             1             2691           2691          2691         2.7k  0.06  
http_header_names (request)       IPv4       6             1            22481          22481         22481        22.5k  0.53  
http_accept (request)             IPv4       6             1             8754           8754          8754         8.8k  0.20  
http_referer (request)            IPv4       6             1             3234           3234          3234         3.2k  0.08  
http_content_len (request)        IPv4       6             1             6805           6805          6805         6.8k  0.16  
http_content_type (request)       IPv4       6             1             3579           3579          3579         3.6k  0.08  
http_protocol (request)           IPv4       6             1            10101          10101         10101        10.1k  0.24  
http_start (request)              IPv4       6             1            16562          16562         16562        16.6k  0.39  
http_raw_header (request)         IPv4       6             1            18483          18483         18483        18.5k  0.43  
http_method                       IPv4       6             1             6871           6871          6871         6.9k  0.16  
http_cookie (request)             IPv4       6             1             3697           3697          3697         3.7k  0.09  
http_raw_uri                      IPv4       6             1             5640           5640          5640         5.6k  0.13  
http_user_agent                   IPv4       6             1            40455          40455         40455        40.5k  0.95  
http_host                         IPv4       6             1            15824          15824         15824        15.8k  0.37  
dns_query                         IPv4      17            19             3850          34364          9324       177.2k  4.15  
http_response_line                IPv4       6             1            21178          21178         21178        21.2k  0.50  
http_header (response)            IPv4       6             1            36693          36693         36693        36.7k  0.86  
http_header (response trailer)    IPv4       6             1             2805           2805          2805         2.8k  0.07  
http_content_type (response)      IPv4       6             1            20512          20512         20512        20.5k  0.48  
http_raw_header (response)        IPv4       6             1             9119           9119          9119         9.1k  0.21  
http_cookie (response)            IPv4       6             1             3017           3017          3017         3.0k  0.07  
http_stat_code                    IPv4       6             1             8042           8042          8042         8.0k  0.19  
Total                             IPv4                   176                                         24262         4.3m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       2            14            36762         440685         71418        999.9k  1.69  
PROF_DETECT_IPONLY          IPv4       6             2            37516          37741         37628         75.3k  0.13  
PROF_DETECT_IPONLY          IPv4      17            46            37142         861900         90403          4.2m  7.01  
PROF_DETECT_RULES           IPv4       2            14             2522           2915          2602         36.4k  0.06  
PROF_DETECT_RULES           IPv4       6            10             2540        2451214        308808          3.1m  5.21  
PROF_DETECT_RULES           IPv4      17           122            44299        9859824        262316         32.0m  53.98 
PROF_DETECT_STATEFUL_START    IPv4       6             3             6183        1268859        462581          1.4m  2.34  
PROF_DETECT_STATEFUL_START    IPv4      17             1            42478          42478         42478         42.5k  0.07  
PROF_DETECT_STATEFUL_CONT    IPv4       2            14             2519           2776          2606         36.5k  0.06  
PROF_DETECT_STATEFUL_CONT    IPv4       6            10             2516          28397          7201         72.0k  0.12  
PROF_DETECT_STATEFUL_CONT    IPv4      17           122             2511          72067          4715        575.3k  0.97  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             6             2583           3137          2829         17.0k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            38             2606           4760          2976        113.1k  0.19  
PROF_DETECT_PREFILTER       IPv4       2            14             7785          29642         10615        148.6k  0.25  
PROF_DETECT_PREFILTER       IPv4       6            10             8113         564406        142648          1.4m  2.41  
PROF_DETECT_PREFILTER       IPv4      17           122            24125         486623         50610          6.2m  10.41 
PROF_DETECT_PF_PAYLOAD      IPv4       6             5            99395         229614        149500        747.5k  1.26  
PROF_DETECT_PF_PAYLOAD      IPv4      17           122             8321         468326         29832          3.6m  6.14  
PROF_DETECT_PF_TX           IPv4       6             6             2900         375154         88258        529.6k  0.89  
PROF_DETECT_PF_TX           IPv4      17            19             9432          40271         14875        282.6k  0.48  
PROF_DETECT_PF_SORT1        IPv4       6             4             2613           8209          4346         17.4k  0.03  
PROF_DETECT_PF_SORT1        IPv4      17           122             2571          33340          3803        464.0k  0.78  
PROF_DETECT_PF_SORT2        IPv4       2            14             2516           2794          2602         36.4k  0.06  
PROF_DETECT_PF_SORT2        IPv4       6            10             2555           9519          3699         37.0k  0.06  
PROF_DETECT_PF_SORT2        IPv4      17           122             2544           4850          2885        352.1k  0.59  
PROF_DETECT_NONMPMLIST      IPv4       2            14             2530           2785          2750         38.5k  0.06  
PROF_DETECT_NONMPMLIST      IPv4       6            10             2556           3848          3087         30.9k  0.05  
PROF_DETECT_NONMPMLIST      IPv4      17           122             2524         387257          6226        759.7k  1.28  
PROF_DETECT_ALERT           IPv4       2            14             2525           2807          2559         35.8k  0.06  
PROF_DETECT_ALERT           IPv4       6            10             2520           5289          3004         30.0k  0.05  
PROF_DETECT_ALERT           IPv4      17           122             2525          71678          3338        407.3k  0.69  
PROF_DETECT_CLEANUP         IPv4       2            14             2510           2859          2549         35.7k  0.06  
PROF_DETECT_CLEANUP         IPv4       6            10             2613          31202          7077         70.8k  0.12  
PROF_DETECT_CLEANUP         IPv4      17           122             2518         391000          6316        770.6k  1.30  
PROF_DETECT_GETSGH          IPv4       2            14             2731           2909          2779         38.9k  0.07  
PROF_DETECT_GETSGH          IPv4       6            10             2538           6297          3544         35.4k  0.06  
PROF_DETECT_GETSGH          IPv4      17           122             2523          50313          4703        573.8k  0.97  


suricata-4.0.0-etpro-all-perf.txt-2018-12-24-T-13-43-40-12242018.1343-pcap_1.pcap.txt - (17111 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 12/24/2018 -- 13:43:40. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2803760      1        3        1080441      7.03   19       0        407649      56865.32    0.00        56865.32   
  2        2009702      1        5        816763       5.32   38       0        405851      21493.76    0.00        21493.76   
  3        2014701      1        12       1200859      7.82   38       0        404934      31601.55    0.00        31601.55   
  4        2014703      1        9        807238       5.26   38       0        400395      21243.11    0.00        21243.11   
  5        2100566      1        5        420762       2.74   12       0        390691      35063.50    0.00        35063.50   
  6        2010143      1        3        810076       5.27   110      0        388710      7364.33     0.00        7364.33    
  7        2802081      1        1        489072       3.18   36       0        386485      13585.33    0.00        13585.33   
  8        2023620      1        3        588101       3.83   74       0        384857      7947.31     0.00        7947.31    
  9        2823788      1        4        437489       2.85   19       0        383616      23025.74    0.00        23025.74   
  10       2018571      1        3        127680       0.83   1        1        127680      127680.00   127680.00   0.00       
  11       2805348      1        4        445411       2.90   6        0        100526      74235.17    0.00        74235.17   
  12       2808869      1        3        95362        0.62   1        0        95362       95362.00    0.00        95362.00   
  13       2022543      1        1        87812        0.57   1        0        87812       87812.00    0.00        87812.00   
  14       2802876      1        3        82977        0.54   1        0        82977       82977.00    0.00        82977.00   
  15       2827279      1        5        71543        0.47   1        0        71543       71543.00    0.00        71543.00   
  16       2815169      1        4        69855        0.45   1        0        69855       69855.00    0.00        69855.00   
  17       2023622      1        3        382947       2.49   122      0        64803       3138.91     0.00        3138.91    
  18       2822634      1        2        61862        0.40   1        0        61862       61862.00    0.00        61862.00   
  19       2022040      1        2        61694        0.40   1        0        61694       61694.00    0.00        61694.00   
  20       2826281      1        2        317688       2.07   19       0        57990       16720.42    0.00        16720.42   
  21       2828008      1        2        55067        0.36   1        0        55067       55067.00    0.00        55067.00   
  22       2816165      1        5        54818        0.36   1        0        54818       54818.00    0.00        54818.00   
  23       2823166      1        3        54065        0.35   1        0        54065       54065.00    0.00        54065.00   
  24       2815413      1        3        51663        0.34   1        0        51663       51663.00    0.00        51663.00   
  25       2815069      1        2        48755        0.32   1        0        48755       48755.00    0.00        48755.00   
  26       2016778      1        5        48237        0.31   1        1        48237       48237.00    48237.00    0.00       
  27       2819934      1        2        48145        0.31   1        0        48145       48145.00    0.00        48145.00   
  28       2815046      1        3        47682        0.31   1        0        47682       47682.00    0.00        47682.00   
  29       2816158      1        2        44563        0.29   1        0        44563       44563.00    0.00        44563.00   
  30       2014702      1        9        360220       2.35   38       0        43579       9479.47     0.00        9479.47    
  31       2816159      1        2        43491        0.28   1        0        43491       43491.00    0.00        43491.00   
  32       2828060      1        4        41909        0.27   1        0        41909       41909.00    0.00        41909.00   
  33       2022572      1        2        41701        0.27   1        0        41701       41701.00    0.00        41701.00   
  34       2808848      1        3        41507        0.27   1        0        41507       41507.00    0.00        41507.00   
  35       2809850      1        2        185364       1.21   10       0        41318       18536.40    0.00        18536.40   
  36       2821561      1        2        41311        0.27   1        0        41311       41311.00    0.00        41311.00   
  37       2815235      1        3        40922        0.27   1        0        40922       40922.00    0.00        40922.00   
  38       2815485      1        2        40882        0.27   1        0        40882       40882.00    0.00        40882.00   
  39       2820702      1        2        40593        0.26   1        0        40593       40593.00    0.00        40593.00   
  40       2012612      1        16       40568        0.26   1        0        40568       40568.00    0.00        40568.00   
  41       2822343      1        2        40302        0.26   1        0        40302       40302.00    0.00        40302.00   
  42       2021435      1        4        38946        0.25   1        0        38946       38946.00    0.00        38946.00   
  43       2812180      1        5        38325        0.25   1        0        38325       38325.00    0.00        38325.00   
  44       2021698      1        2        38273        0.25   1        0        38273       38273.00    0.00        38273.00   
  45       2809857      1        3        38254        0.25   1        0        38254       38254.00    0.00        38254.00   
  46       2022850      1        3        37978        0.25   1        0        37978       37978.00    0.00        37978.00   
  47       2018148      1        4        37534        0.24   1        0        37534       37534.00    0.00        37534.00   
  48       2828986      1        2        37383        0.24   1        0        37383       37383.00    0.00        37383.00   
  49       2022914      1        1        99249        0.65   8        0        36471       12406.12    0.00        12406.12   
  50       2825625      1        4        35784        0.23   1        0        35784       35784.00    0.00        35784.00   
  51       2820848      1        2        34067        0.22   1        0        34067       34067.00    0.00        34067.00   
  52       2814717      1        2        33224        0.22   1        0        33224       33224.00    0.00        33224.00   
  53       2011677      1        7        32765        0.21   1        0        32765       32765.00    0.00        32765.00   
  54       2822392      1        3        32684        0.21   1        0        32684       32684.00    0.00        32684.00   
  55       2016777      1        12       32653        0.21   1        1        32653       32653.00    32653.00    0.00       
  56       2011227      1        5        32303        0.21   1        1        32303       32303.00    32303.00    0.00       
  57       2816876      1        2        32270        0.21   1        0        32270       32270.00    0.00        32270.00   
  58       2805552      1        2        31850        0.21   1        0        31850       31850.00    0.00        31850.00   
  59       2807000      1        3        30645        0.20   1        0        30645       30645.00    0.00        30645.00   
  60       2806792      1        5        30135        0.20   1        0        30135       30135.00    0.00        30135.00   
  61       2812513      1        2        29485        0.19   1        0        29485       29485.00    0.00        29485.00   
  62       2821615      1        2        28973        0.19   1        0        28973       28973.00    0.00        28973.00   
  63       2017363      1        2        28938        0.19   1        1        28938       28938.00    28938.00    0.00       
  64       2815567      1        2        28888        0.19   1        0        28888       28888.00    0.00        28888.00   
  65       2829848      1        2        28793        0.19   1        0        28793       28793.00    0.00        28793.00   
  66       2012707      1        5        28164        0.18   1        0        28164       28164.00    0.00        28164.00   
  67       2024771      1        1        28006        0.18   1        0        28006       28006.00    0.00        28006.00   
  68       2804626      1        9        27987        0.18   1        0        27987       27987.00    0.00        27987.00   
  69       2814149      1        3        27521        0.18   1        0        27521       27521.00    0.00        27521.00   
  70       2829105      1        1        27383        0.18   1        0        27383       27383.00    0.00        27383.00   
  71       2017552      1        6        43069        0.28   2        0        26923       21534.50    0.00        21534.50   
  72       2010140      1        7        537335       3.50   110      0        25172       4884.86     0.00        4884.86    
  73       2816669      1        4        22602        0.15   1        0        22602       22602.00    0.00        22602.00   
  74       2826256      1        2        22024        0.14   1        0        22024       22024.00    0.00        22024.00   
  75       2024513      1        5        21670        0.14   1        0        21670       21670.00    0.00        21670.00   
  76       2814100      1        2        21472        0.14   1        0        21472       21472.00    0.00        21472.00   
  77       2013382      1        3        20591        0.13   1        0        20591       20591.00    0.00        20591.00   
  78       2806131      1        3        20472        0.13   1        0        20472       20472.00    0.00        20472.00   
  79       2008420      1        4        21089        0.14   2        0        17842       10544.50    0.00        10544.50   
  80       2009243      1        2        168297       1.10   56       0        16538       3005.30     0.00        3005.30    
  81       2008118      1        3        187823       1.22   56       0        16498       3353.98     0.00        3353.98    
  82       2016537      1        2        16453        0.11   1        0        16453       16453.00    0.00        16453.00   
  83       2023627      1        3        236056       1.54   76       0        15524       3106.00     0.00        3106.00    
  84       2809532      1        1        19158        0.12   2        0        15383       9579.00     0.00        9579.00    
  85       2823937      1        13       14733        0.10   1        0        14733       14733.00    0.00        14733.00   
  86       2811537      1        1        17868        0.12   2        0        14208       8934.00     0.00        8934.00    
  87       2008116      1        4        26453        0.17   6        0        12326       4408.83     0.00        4408.83    
  88       2019011      1        3        25806        0.17   6        0        12206       4301.00     0.00        4301.00    
  89       2019017      1        3        22957        0.15   6        0        9469        3826.17     0.00        3826.17    
  90       2805211      1        1        68023        0.44   8        0        9436        8502.88     0.00        8502.88    
  91       2016323      1        1        41865        0.27   12       0        8769        3488.75     0.00        3488.75    
  92       2100540      1        12       11655        0.08   2        0        8673        5827.50     0.00        5827.50    
  93       2802822      1        1        82764        0.54   26       0        8484        3183.23     0.00        3183.23    
  94       2016363      1        2        39187        0.26   12       0        7819        3265.58     0.00        3265.58    
  95       2019010      1        3        20962        0.14   6        0        6442        3493.67     0.00        3493.67    
  96       2020369      1        3        4853         0.03   1        0        4853        4853.00     0.00        4853.00    
  97       2810793      1        5        4049         0.03   1        0        4049        4049.00     0.00        4049.00    
  98       2013739      1        15       187998       1.22   72       0        4014        2611.08     0.00        2611.08    
  99       2008120      1        4        295152       1.92   110      0        3931        2683.20     0.00        2683.20    
  100      2019016      1        3        17575        0.11   6        0        3839        2929.17     0.00        2929.17    
  101      2802026      1        1        57379        0.37   20       0        3744        2868.95     0.00        2868.95    
  102      2023626      1        3        211635       1.38   80       0        3723        2645.44     0.00        2645.44    
  103      2023621      1        4        105409       0.69   40       0        3628        2635.22     0.00        2635.22    
  104      2023625      1        3        197520       1.29   74       0        3614        2669.19     0.00        2669.19    
  105      2102523      1        8        3566         0.02   1        0        3566        3566.00     0.00        3566.00    
  106      2023617      1        3        120142       0.78   46       0        3557        2611.78     0.00        2611.78    
  107      2023615      1        3        75159        0.49   28       0        3516        2684.25     0.00        2684.25    
  108      2102523      1        8        3454         0.02   1        0        3454        3454.00     0.00        3454.00    
  109      2828877      1        1        3441         0.02   1        0        3441        3441.00     0.00        3441.00    
  110      2100540      1        12       6697         0.04   2        0        3428        3348.50     0.00        3348.50    
  111      2828876      1        1        6287         0.04   2        0        3421        3143.50     0.00        3143.50    
  112      2008117      1        3        73270        0.48   26       0        3420        2818.08     0.00        2818.08    
  113      2010142      1        4        285981       1.86   110      0        3405        2599.83     0.00        2599.83    
  114      2025200      1        1        109382       0.71   38       0        3397        2878.47     0.00        2878.47    
  115      2023623      1        3        160562       1.05   62       0        3376        2589.71     0.00        2589.71    
  116      2100518      1        8        17341        0.11   6        0        3347        2890.17     0.00        2890.17    
  117      2023612      1        4        110416       0.72   42       0        3320        2628.95     0.00        2628.95    
  118      2804586      1        2        3289         0.02   1        0        3289        3289.00     0.00        3289.00    
  119      2816382      1        1        3273         0.02   1        0        3273        3273.00     0.00        3273.00    
  120      2023624      1        3        213394       1.39   82       0        3209        2602.37     0.00        2602.37    
  121      2013075      1        8        50077        0.33   19       0        3182        2635.63     0.00        2635.63    
  122      2023618      1        3        90908        0.59   34       0        3137        2673.76     0.00        2673.76    
  123      2801347      1        5        31172        0.20   12       0        3109        2597.67     0.00        2597.67    
  124      2023613      1        3        100819       0.66   38       0        3091        2653.13     0.00        2653.13    
  125      2828748      1        2        

This file has been truncated. Go here to download in full.


stats.log - (2838 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------------------------------------------------------------------------------------
Date: 12/24/2018 -- 13:43:40 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 170
decoder.bytes                              | Total                     | 16903
decoder.ipv4                               | Total                     | 146
decoder.ethernet                           | Total                     | 170
decoder.tcp                                | Total                     | 10
decoder.udp                                | Total                     | 122
decoder.avg_pkt_size                       | Total                     | 99
decoder.max_pkt_size                       | Total                     | 312
flow.tcp                                   | Total                     | 1
flow.udp                                   | Total                     | 27
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
detect.alert                               | Total                     | 4
detect.mpm_list                            | Total                     | 12
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 14
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 19
app_layer.tx.dns_udp                       | Total                     | 19
app_layer.flow.failed_udp                  | Total                     | 8
flow.spare                                 | Total                     | 9975
flow_mgr.flows_checked                     | Total                     | 11
flow_mgr.flows_notimeout                   | Total                     | 11
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65525
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074304


eve.json - (15555 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{"timestamp":"2018-12-13T16:52:31.256470+0000","flow_id":74051918752214,"pcap_cnt":105,"event_type":"dns","src_ip":"192.168.56.107","src_port":52032,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13877,"rrname":"113.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:52:31.471642+0000","flow_id":74051918752214,"pcap_cnt":106,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":52032,"proto":"UDP","dns":{"type":"answer","id":13877,"rcode":"NOERROR","rrname":"113.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:52:33.433743+0000","flow_id":727797480922703,"pcap_cnt":107,"event_type":"alert","src_ip":"192.168.56.107","src_port":50089,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016778,"rev":5,"signature":"ET DNS Query to a *.pw domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-12-13T16:52:33.433743+0000","flow_id":727797480922703,"pcap_cnt":107,"event_type":"dns","src_ip":"192.168.56.107","src_port":50089,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48259,"rrname":"bulk.iconological.pw","rrtype":"A","tx_id":0}}
{"timestamp":"2018-12-13T16:52:33.756391+0000","flow_id":727797480922703,"pcap_cnt":108,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":50089,"proto":"UDP","dns":{"type":"answer","id":48259,"rcode":"NOERROR","rrname":"bulk.iconological.pw","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:52:33.802004+0000","flow_id":1842564832539941,"pcap_cnt":116,"event_type":"alert","src_ip":"192.168.56.107","src_port":49167,"dest_ip":"192.168.56.1","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2011227,"rev":5,"signature":"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-12-13T16:52:33.802004+0000","flow_id":1842564832539941,"pcap_cnt":116,"event_type":"alert","src_ip":"192.168.56.107","src_port":49167,"dest_ip":"192.168.56.1","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016777,"rev":12,"signature":"ET INFO HTTP Request to a *.pw domain","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2018-12-13T16:52:33.802004+0000","flow_id":1842564832539941,"pcap_cnt":116,"event_type":"http","src_ip":"192.168.56.107","src_port":49167,"dest_ip":"192.168.56.1","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"bulk.iconological.pw","url":"\/get\/domain","http_user_agent":"NSIS_Inetc (Mozilla)","http_content_type":"text\/html"}}
{"timestamp":"2018-12-13T16:52:33.802402+0000","flow_id":1842564832539941,"pcap_cnt":118,"event_type":"alert","src_ip":"192.168.56.1","src_port":80,"dest_ip":"192.168.56.107","dest_port":49167,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2017363,"rev":2,"signature":"ET INFO InetSim Response from External Source Possible SinkHole","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-12-13T16:52:33.802402+0000","flow_id":1842564832539941,"pcap_cnt":118,"event_type":"fileinfo","src_ip":"192.168.56.1","src_port":80,"dest_ip":"192.168.56.107","dest_port":49167,"proto":"TCP","http":{"hostname":"bulk.iconological.pw","url":"\/get\/domain","http_user_agent":"NSIS_Inetc (Mozilla)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":258},"app_proto":"http","fileinfo":{"filename":"\/get\/domain","gaps":false,"state":"CLOSED","stored":false,"size":258,"tx_id":0}}
{"timestamp":"2018-12-13T16:52:35.093914+0000","flow_id":1354527698808538,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.56.107","src_port":50412,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29891,"rrname":"f.2.b.3.d.e.b.d.4.4.e.3.d.d.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:52:35.097202+0000","flow_id":679376019749810,"pcap_cnt":120,"event_type":"dns","src_ip":"192.168.56.107","src_port":60023,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41540,"rrname":"104.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:52:35.313839+0000","flow_id":679376019749810,"pcap_cnt":121,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":60023,"proto":"UDP","dns":{"type":"answer","id":41540,"rcode":"NOERROR","rrname":"104.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:52:35.336455+0000","flow_id":1354527698808538,"pcap_cnt":122,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":50412,"proto":"UDP","dns":{"type":"answer","id":29891,"rcode":"NOERROR","rrname":"f.2.b.3.d.e.b.d.4.4.e.3.d.d.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:52:47.106974+0000","flow_id":2128652605039070,"pcap_cnt":123,"event_type":"dns","src_ip":"192.168.56.107","src_port":57365,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60126,"rrname":"7.7.6.8.b.5.2.b.3.c.b.3.4.9.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:52:47.107230+0000","flow_id":50008692859614,"pcap_cnt":124,"event_type":"dns","src_ip":"192.168.56.107","src_port":50687,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60035,"rrname":"103.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:52:47.333231+0000","flow_id":2128652605039070,"pcap_cnt":125,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":57365,"proto":"UDP","dns":{"type":"answer","id":60126,"rcode":"NOERROR","rrname":"7.7.6.8.b.5.2.b.3.c.b.3.4.9.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:52:47.333861+0000","flow_id":50008692859614,"pcap_cnt":126,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":50687,"proto":"UDP","dns":{"type":"answer","id":60035,"rcode":"NOERROR","rrname":"103.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:01.151947+0000","flow_id":1395059306877323,"pcap_cnt":127,"event_type":"dns","src_ip":"192.168.56.107","src_port":53501,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1265,"rrname":"8.1.3.6.4.0.a.6.a.f.d.3.6.4.c.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:01.152232+0000","flow_id":415471755940520,"pcap_cnt":128,"event_type":"dns","src_ip":"192.168.56.107","src_port":53126,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6839,"rrname":"105.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:01.379337+0000","flow_id":1395059306877323,"pcap_cnt":129,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":53501,"proto":"UDP","dns":{"type":"answer","id":1265,"rcode":"NOERROR","rrname":"8.1.3.6.4.0.a.6.a.f.d.3.6.4.c.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:01.380093+0000","flow_id":415471755940520,"pcap_cnt":130,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":53126,"proto":"UDP","dns":{"type":"answer","id":6839,"rcode":"NOERROR","rrname":"105.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:14.222624+0000","flow_id":798479760385440,"pcap_cnt":131,"event_type":"dns","src_ip":"192.168.56.107","src_port":56915,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1260,"rrname":"f.e.b.2.b.3.a.b.0.5.3.6.b.7.c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:14.223421+0000","flow_id":539506117339325,"pcap_cnt":132,"event_type":"dns","src_ip":"192.168.56.107","src_port":61737,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39568,"rrname":"108.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:14.450894+0000","flow_id":798479760385440,"pcap_cnt":133,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":56915,"proto":"UDP","dns":{"type":"answer","id":1260,"rcode":"NOERROR","rrname":"f.e.b.2.b.3.a.b.0.5.3.6.b.7.c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:14.451480+0000","flow_id":539506117339325,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":61737,"proto":"UDP","dns":{"type":"answer","id":39568,"rcode":"NOERROR","rrname":"108.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:24.216160+0000","flow_id":843585507576928,"pcap_cnt":135,"event_type":"dns","src_ip":"192.168.56.107","src_port":62989,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61220,"rrname":"a.3.a.1.9.5.4.3.0.1.5.b.f.3.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:24.216742+0000","flow_id":320325346938534,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.56.107","src_port":49783,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6204,"rrname":"110.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:24.439035+0000","flow_id":320325346938534,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":49783,"proto":"UDP","dns":{"type":"answer","id":6204,"rcode":"NOERROR","rrname":"110.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:24.452817+0000","flow_id":843585507576928,"pcap_cnt":138,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":62989,"proto":"UDP","dns":{"type":"answer","id":61220,"rcode":"NOERROR","rrname":"a.3.a.1.9.5.4.3.0.1.5.b.f.3.1.6.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:35.290799+0000","flow_id":1883736393084911,"pcap_cnt":143,"event_type":"dns","src_ip":"192.168.56.107","src_port":64618,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54114,"rrname":"250.255.255.239.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:35.508868+0000","flow_id":1883736393084911,"pcap_cnt":146,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":64618,"proto":"UDP","dns":{"type":"answer","id":54114,"rcode":"NOERROR","rrname":"250.255.255.239.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:38.279278+0000","flow_id":565086944117486,"pcap_cnt":151,"event_type":"dns","src_ip":"192.168.56.107","src_port":49893,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62438,"rrname":"2.e.0.0.4.9.e.9.9.4.f.5.6.9.d.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:38.279623+0000","flow_id":1302425454658631,"pcap_cnt":152,"event_type":"dns","src_ip":"192.168.56.107","src_port":51777,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21860,"rrname":"111.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:38.280356+0000","flow_id":2235799157491492,"pcap_cnt":153,"event_type":"dns","src_ip":"192.168.56.107","src_port":64844,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45640,"rrname":"102.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:38.498999+0000","flow_id":1302425454658631,"pcap_cnt":154,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":51777,"proto":"UDP","dns":{"type":"answer","id":21860,"rcode":"NOERROR","rrname":"111.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:38.500026+0000","flow_id":2235799157491492,"pcap_cnt":155,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":64844,"proto":"UDP","dns":{"type":"answer","id":45640,"rcode":"NOERROR","rrname":"102.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:38.513974+0000","flow_id":565086944117486,"pcap_cnt":156,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":49893,"proto":"UDP","dns":{"type":"answer","id":62438,"rcode":"NOERROR","rrname":"2.e.0.0.4.9.e.9.9.4.f.5.6.9.d.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:50.449366+0000","flow_id":660259125254998,"pcap_cnt":165,"event_type":"dns","src_ip":"192.168.56.107","src_port":61868,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31889,"rrname":"b.9.d.1.8.0.5.6.0.f.9.8.1.e.1.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:50.449670+0000","flow_id":1048992320248966,"pcap_cnt":166,"event_type":"dns","src_ip":"192.168.56.107","src_port":56848,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8776,"rrname":"112.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:53:50.668331+0000","flow_id":1048992320248966,"pcap_cnt":167,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":56848,"proto":"UDP","dns":{"type":"answer","id":8776,"rcode":"NOERROR","rrname":"112.56.168.192.in-addr.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:53:50.693650+0000","flow_id":660259125254998,"pcap_cnt":168,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":61868,"proto":"UDP","dns":{"type":"answer","id":31889,"rcode":"NOERROR","rrname":"b.9.d.1.8.0.5.6.0.f.9.8.1.e.1.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}
{"timestamp":"2018-12-13T16:54:03.579481+0000","flow_id":660422334863257,"pcap_cnt":169,"event_type":"dns","src_ip":"192.168.56.107","src_port":52965,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40622,"rrname":"1.e.4.1.e.a.b.8.8.d.b.8.a.0.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2018-12-13T16:54:03.804374+0000","flow_id":660422334863257,"pcap_cnt":170,"event_type":"dns","src_ip":"192.168.56.1","src_port":53,"dest_ip":"192.168.56.107","dest_port":52965,"proto":"UDP","dns":{"type":"answer","id":40622,"rcode":"NOERROR","rrname":"1.e.4.1.e.a.b.8.8.d.b.8.a.0.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"A","ttl":0,"rdata":"192.168.56.1"}}


suricata-report-2018-12-24-T-13-43-40-12242018.1343-pcap_1.pcap.txt - (17861 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/b440eff752ea79b3bfd83f866641c26b56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12242018.1343-pcap_1.pcap -vvv -k none
elapsedtime:22.292543
stderr:
stdout:
24/12/2018 -- 13:43:18 - <Info> - Configuration node 'rule-files' redefined.
24/12/2018 -- 13:43:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/12/2018 -- 13:43:18 - <Info> - CPUs/cores online: 1
24/12/2018 -- 13:43:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34085 and 'request-body-inspect-window' set to 17170 after randomization.
24/12/2018 -- 13:43:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34230 and 'response-body-inspect-window' set to 17133 after randomization.
24/12/2018 -- 13:43:18 - <Config> - DNS request flood protection level: 500
24/12/2018 -- 13:43:18 - <Config> - DNS per flow memcap (state-memcap): 524288
24/12/2018 -- 13:43:18 - <Config> - DNS global memcap: 16777216
24/12/2018 -- 13:43:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/12/2018 -- 13:43:18 - <Config> - preallocated 1000 hosts of size 136
24/12/2018 -- 13:43:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/12/2018 -- 13:43:18 - <Config> - using magic-file /usr/share/file/magic
24/12/2018 -- 13:43:18 - <Config> - Core dump size is unlimited.
24/12/2018 -- 13:43:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/12/2018 -- 13:43:18 - <Config> - preallocated 1000 defrag trackers of size 168
24/12/2018 -- 13:43:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/12/2018 -- 13:43:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/12/2018 -- 13:43:18 - <Config> - stream "memcap": 33554432
24/12/2018 -- 13:43:18 - <Config> - stream "midstream" session pickups: disabled
24/12/2018 -- 13:43:18 - <Config> - stream "async-oneside": disabled
24/12/2018 -- 13:43:18 - <Config> - stream "checksum-validation": disabled
24/12/2018 -- 13:43:18 - <Config> - stream."inline": disabled
24/12/2018 -- 13:43:18 - <Config> - stream "bypass": disabled
24/12/2018 -- 13:43:18 - <Config> - stream "max-synack-queued": 5
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly "memcap": 134217728
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly "depth": 0
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly "toserver-chunk-size": 2627
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly "toclient-chunk-size": 2687
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly.raw: enabled
24/12/2018 -- 13:43:18 - <Config> - stream.reassembly "segment-prealloc": 2048
24/12/2018 -- 13:43:18 - <Config> - Delayed detect disabled
24/12/2018 -- 13:43:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/12/2018 -- 13:43:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/12/2018 -- 13:43:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/12/2018 -- 13:43:18 - <Config> - prefilter engines: MPM
24/12/2018 -- 13:43:18 - <Config> - IP reputation disabled
24/12/2018 -- 13:43:18 - <Perf> - Registered 148 keyword profiling counters.
24/12/2018 -- 13:43:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/12/2018 -- 13:43:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/12/2018 -- 13:43:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/12/2018 -- 13:43:23 - <Config> - No rules loaded from ET-icmp.rules.
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/12/2018 -- 13:43:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/12/2018 -- 13:43:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/12/2018 -- 13:43:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/12/2018 -- 13:43:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/12/2018 -- 13:43:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/12/2018 -- 13:43:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/12/2018 -- 13:43:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/12/2018 -- 13:43:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/12/2018 -- 13:43:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/12/2018 -- 13:43:31 - <Config> - No rules loaded from local.rules.
24/12/2018 -- 13:43:31 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/12/2018 -- 13:43:31 - <Info> - Threshold config parsed: 0 rule(s) found
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tcp-packet
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tcp-stream
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for udp-packet
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for other-ip
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_uri
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_request_line
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_client_body
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_response_line
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_header
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_header
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_header_names
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_header_names
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_accept
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_accept_enc
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_accept_lang
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_referer
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_connection
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_content_len
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_content_len
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_content_type
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_content_type
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_protocol
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_protocol
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_start
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_start
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_raw_header
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_raw_header
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_method
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_cookie
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_cookie
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_raw_uri
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_user_agent
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_host
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_raw_host
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_stat_msg
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_stat_code
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for dns_query
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tls_sni
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for dce_stub_data
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for dce_stub_data
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for ssh_protocol
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for ssh_protocol
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for ssh_software
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for ssh_software
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for file_data
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for file_data
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_request_line
24/12/2018 -- 13:43:31 - <Perf> - using shared mpm ctx' for http_response_line
24/12/2018 -- 13:43:31 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/12/2018 -- 13:43:31 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/12/2018 -- 13:43:32 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/12/2018 -- 13:43:32 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/12/2018 -- 13:43:32 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/12/2018 -- 13:43:32 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/12/2018 -- 13:43:32 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/12/2018 -- 13:43:32 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/12/2018 -- 13:43:37 - <Perf> - Unique rule groups: 104
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/12/2018 -- 13:43:37 - <Perf> - Builtin MPM "other IP packet": 3
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_header": 10
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_header": 6
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_start": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_method": 5
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver http_host": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toserver file_data": 1
24/12/2018 -- 13:43:37 - <Perf> - AppLayer MPM "toclient file_data": 7
24/12/2018 -- 13:43:39 - <Perf> - Registered 39590 rule profiling counters.
24/12/2018 -- 13:43:39 - <Info> - fast output device (regular) initialized: alert
24/12/2018 -- 13:43:39 - <Info> - eve-log output device (regular) initialized: eve.json
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'alert'
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'http'
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'dns'
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'tls'
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'files'
24/12/2018 -- 13:43:39 - <Config> - enabling 'eve-log' module 'ssh'
24/12/2018 -- 13:43:39 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/12/2018 -- 13:43:39 - <Info> - stats output device (regular) initialized: stats.log
24/12/2018 -- 13:43:39 - <Config> - AutoFP mode using "Hash" flow loa

This file has been truncated. Go here to download in full.


keyword_perf.log - (11679 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 12/24/2018 -- 13:43:40
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             302770          61              61              24507           4963.00         4963.00         0.00           
  content          1327585         355             231             70471           3739.00         3633.00         3938.00        
  pcre             224803          23              3               42730           9774.00         13662.00        9190.00        
  byte_test        540450          171             77              24632           3160.00         3490.00         2889.00        
  byte_jump        17730           6               6               3655            2955.00         2955.00         0.00           
  isdataat         2793            1               0               2793            2793.00         0.00            2793.00        
  flowbits         18547           4               1               9308            4636.00         9308.00         3079.00        
  urilen           15676           5               0               3737            3135.00         0.00            3135.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             302770          61              61              24507           4963.00         4963.00         0.00           
  flowbits         9239            3               0               3481            3079.00         0.00            3079.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          801274          230             147             70471           3483.00         3201.00         3983.00        
  pcre             126044          14              0               42730           9003.00         0.00            9003.00        
  byte_test        540450          171             77              24632           3160.00         3490.00         2889.00        
  byte_jump        17730           6               6               3655            2955.00         2955.00         0.00           
  isdataat         2793            1               0               2793            2793.00         0.00            2793.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         9308            1               1               9308            9308.00         9308.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          106494          26              2               10139           4095.00         3956.00         4107.00        
  pcre             24132           3               0               13540           8044.00         0.00            8044.00        
  urilen           15676           5               0               3737            3135.00         0.00            3135.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4623            1               0               4623            4623.00         0.00            4623.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          325603          73              64              19547           4460.00         4579.00         3615.00        
  pcre             74627           6               3               17695           12437.00        13662.00        11213.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3551            1               1               3551            3551.00         3551.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6983            2               2               3577            3491.00         3491.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9142            3               0               3318            3047.00         0.00            3047.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          46192           13              11              4083            3553.00         3623.00         3168.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6651            2               2               3595            3325.00         3325.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6472            2               0               3254            3236.00         0.00            3236.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: dns_query
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10600           2               2               6246            5300.00         5300.00         0.00           


unified2.alert.1545659019 - (1402 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
4\ŽQžOÆ
À¨8kÀ¨8é5l\ŽQ\ŽQžOP
'ª{
֚”EB	§€?GÀ¨8kÀ¨8é5.«®¼ƒbulkiconologicalpw4\ŽQ<Ô°[À¨8kÀ¨8ÀPÝ\ŽQ\ŽQ<ÔÁE³ȈÀ¨8kÀ¨8ÀPPmÐGET /get/domain HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: bulk.iconological.pw
Connection: Keep-Alive
Cache-Control: no-cache

4\ŽQ<ÔÆ	À¨8kÀ¨8ÀPÝ\ŽQ\ŽQ<ÔÁE³ȈÀ¨8kÀ¨8ÀPPmÐGET /get/domain HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: bulk.iconological.pw
Connection: Keep-Alive
Cache-Control: no-cache

4\ŽQ>bÈSÀ¨8À¨8kPÀè\ŽQ\ŽQ>bÌE¾È}À¨8À¨8kPÀP•ðHTTP/1.1 200 OK
Date: Thu, 13 Dec 2018 16:52:33 GMT
Server: INetSim HTTP Server
Content-Type: text/html
Connection: Close
Content-Length: 258

T\ŽQ\ŽQ>b8E*ÈÀ¨8À¨8kPÀPà/<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>


IDSDeathBlossom.py.log - (1146 bytes) - download
1
2
3
4
5
6
7
8
2018-12-24 13:43:17,277 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-12-24 13:43:18,017 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-12-24 13:43:18,017 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-12-24 13:43:18,017 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-12-24 13:43:18,017 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-12-24 13:43:18,018 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/b440eff752ea79b3bfd83f866641c26b56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12242018.1343-pcap_1.pcap -vvv -k none
2018-12-24 13:43:40,312 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-12-24 13:43:40,313 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.0437099934