Filename: grinch_activity-holiday_chunk_0-btc-download.pcapng
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 8.62638711929 seconds
Hash: b57211726c1e8282a7345e0f6d807026
Uploaded: 1545450581

Logfiles


suricata-report-2018-12-22-T-03-49-50-12222018.0349-grinch_activity-holiday_chunk_0-btc-download.pcapng.txt - (18512 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/b57211726c1e8282a7345e0f6d807026d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/12222018.0349-grinch_activity-holiday_chunk_0-btc-download.pcapng -vvv -k none
elapsedtime:7.705923
stderr:
22/12/2018 -- 03:49:49 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 an interface has a snapshot length 65535 different from the type of the first interface
stdout:
22/12/2018 -- 03:49:42 - <Info> - Configuration node 'rule-files' redefined.
22/12/2018 -- 03:49:42 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/12/2018 -- 03:49:42 - <Info> - CPUs/cores online: 1
22/12/2018 -- 03:49:42 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33390 and 'request-body-inspect-window' set to 16089 after randomization.
22/12/2018 -- 03:49:42 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31577 and 'response-body-inspect-window' set to 16918 after randomization.
22/12/2018 -- 03:49:42 - <Config> - DNS request flood protection level: 500
22/12/2018 -- 03:49:42 - <Config> - DNS per flow memcap (state-memcap): 524288
22/12/2018 -- 03:49:42 - <Config> - DNS global memcap: 16777216
22/12/2018 -- 03:49:42 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/12/2018 -- 03:49:42 - <Config> - preallocated 1000 hosts of size 136
22/12/2018 -- 03:49:42 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/12/2018 -- 03:49:42 - <Config> - using magic-file /usr/share/file/magic
22/12/2018 -- 03:49:42 - <Config> - Core dump size is unlimited.
22/12/2018 -- 03:49:42 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/12/2018 -- 03:49:42 - <Config> - preallocated 1000 defrag trackers of size 168
22/12/2018 -- 03:49:42 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/12/2018 -- 03:49:42 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/12/2018 -- 03:49:42 - <Config> - stream "memcap": 33554432
22/12/2018 -- 03:49:42 - <Config> - stream "midstream" session pickups: disabled
22/12/2018 -- 03:49:42 - <Config> - stream "async-oneside": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "checksum-validation": disabled
22/12/2018 -- 03:49:42 - <Config> - stream."inline": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "bypass": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "max-synack-queued": 5
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "memcap": 134217728
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "depth": 0
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "toserver-chunk-size": 2512
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "toclient-chunk-size": 2606
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly.raw: enabled
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "segment-prealloc": 2048
22/12/2018 -- 03:49:42 - <Config> - Delayed detect disabled
22/12/2018 -- 03:49:42 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/12/2018 -- 03:49:42 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/12/2018 -- 03:49:42 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/12/2018 -- 03:49:42 - <Config> - prefilter engines: MPM
22/12/2018 -- 03:49:42 - <Config> - IP reputation disabled
22/12/2018 -- 03:49:42 - <Perf> - Registered 148 keyword profiling counters.
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
22/12/2018 -- 03:49:43 - <Config> - No rules loaded from ET-emerging-icmp.rules.
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
22/12/2018 -- 03:49:47 - <Config> - No rules loaded from local.rules.
22/12/2018 -- 03:49:47 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
22/12/2018 -- 03:49:47 - <Info> - Threshold config parsed: 0 rule(s) found
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tcp-packet
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tcp-stream
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for udp-packet
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for other-ip
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_uri
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_request_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_client_body
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_response_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header_names
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header_names
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept_enc
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept_lang
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_referer
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_connection
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_len
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_len
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_type
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_type
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_start
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_start
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_method
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_cookie
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_cookie
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_uri
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_user_agent
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_host
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_host
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_stat_msg
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_stat_code
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dns_query
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_sni
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dce_stub_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dce_stub_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_software
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_software
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for file_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for file_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_request_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_response_line
22/12/2018 -- 03:49:47 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
22/12/2018 -- 03:49:47 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/12/2018 -- 03:49:47 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
22/12/2018 -- 03:49:47 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
22/12/2018 -- 03:49:47 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
22/12/2018 -- 03:49:47 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
22/12/2018 -- 03:49:47 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
22/12/2018 -- 03:49:47 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/12/2018 -- 03:49:48 - <Perf> - Unique rule groups: 111
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver TCP packet": 31
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient TCP packet": 20
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver TCP stream": 31
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient TCP stream": 21
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver UDP packet": 33
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient UDP packet": 15
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "other IP packet": 2
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_uri": 8
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_header": 6
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_header": 3
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_header_names": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_start": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_method": 3
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_cookie": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_cookie": 2
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_host": 2
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver dns_query": 4
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver tls_sni": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver file_data": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient file_data": 5
22/12/2018 -- 03:49:49 - <Perf> - Registered 18241 rule profiling counters.
22/12/2018 -- 03:49:49 - <Info> - fast output device (regular) initialized: alert
22/12/2018 -- 03:49:49 - <Info> - eve-log output device (regular) initialized: eve.json
22/12/2018 -- 03:49:49 - <Config> - enabling 'eve-log' module 'alert'
22/12/2018 -- 03:49:49 - <Config> - enabling 'eve-log' module 'http'
22/12/

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-perf.txt-2018-12-22-T-03-49-50-12222018.0349-grinch_activity-holiday_chunk_0-btc-download.pcapng.txt - (471 bytes) - download
1
2
3
4
5
  --------------------------------------------------------------------------
  Date: 12/22/2018 -- 03:49:50. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 


packet_stats.log - (2022 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 


stats.log - (866 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
------------------------------------------------------------------------------------
Date: 12/22/2018 -- 03:49:50 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074304


keyword_perf.log - (707 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 12/22/2018 -- 03:49:50
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


IDSDeathBlossom.py.log - (20126 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
2018-12-22 03:49:41,703 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-12-22 03:49:42,413 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-12-22 03:49:42,414 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-12-22 03:49:42,414 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-12-22 03:49:42,414 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-12-22 03:49:42,415 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/b57211726c1e8282a7345e0f6d807026d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/12222018.0349-grinch_activity-holiday_chunk_0-btc-download.pcapng -vvv -k none
2018-12-22 03:49:50,129 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
22/12/2018 -- 03:49:49 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 an interface has a snapshot length 65535 different from the type of the first interface
2018-12-22 03:49:50,130 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-12-22 03:49:50,131 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/b57211726c1e8282a7345e0f6d807026d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/12222018.0349-grinch_activity-holiday_chunk_0-btc-download.pcapng -vvv -k none; returncode:0; elapsed:7.705923; Errors:
- 22/12/2018 -- 03:49:49 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 an interface has a snapshot length 65535 different from the type of the first interface

 Warnings:
None
 stderr:
22/12/2018 -- 03:49:49 - <Error> - [ERRCODE: SC_ERR_PCAP_DISPATCH(20)] - error code -1 an interface has a snapshot length 65535 different from the type of the first interface

 stdout:
22/12/2018 -- 03:49:42 - <Info> - Configuration node 'rule-files' redefined.
22/12/2018 -- 03:49:42 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/12/2018 -- 03:49:42 - <Info> - CPUs/cores online: 1
22/12/2018 -- 03:49:42 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33390 and 'request-body-inspect-window' set to 16089 after randomization.
22/12/2018 -- 03:49:42 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31577 and 'response-body-inspect-window' set to 16918 after randomization.
22/12/2018 -- 03:49:42 - <Config> - DNS request flood protection level: 500
22/12/2018 -- 03:49:42 - <Config> - DNS per flow memcap (state-memcap): 524288
22/12/2018 -- 03:49:42 - <Config> - DNS global memcap: 16777216
22/12/2018 -- 03:49:42 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/12/2018 -- 03:49:42 - <Config> - preallocated 1000 hosts of size 136
22/12/2018 -- 03:49:42 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/12/2018 -- 03:49:42 - <Config> - using magic-file /usr/share/file/magic
22/12/2018 -- 03:49:42 - <Config> - Core dump size is unlimited.
22/12/2018 -- 03:49:42 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/12/2018 -- 03:49:42 - <Config> - preallocated 1000 defrag trackers of size 168
22/12/2018 -- 03:49:42 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/12/2018 -- 03:49:42 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/12/2018 -- 03:49:42 - <Config> - stream "memcap": 33554432
22/12/2018 -- 03:49:42 - <Config> - stream "midstream" session pickups: disabled
22/12/2018 -- 03:49:42 - <Config> - stream "async-oneside": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "checksum-validation": disabled
22/12/2018 -- 03:49:42 - <Config> - stream."inline": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "bypass": disabled
22/12/2018 -- 03:49:42 - <Config> - stream "max-synack-queued": 5
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "memcap": 134217728
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "depth": 0
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "toserver-chunk-size": 2512
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "toclient-chunk-size": 2606
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly.raw: enabled
22/12/2018 -- 03:49:42 - <Config> - stream.reassembly "segment-prealloc": 2048
22/12/2018 -- 03:49:42 - <Config> - Delayed detect disabled
22/12/2018 -- 03:49:42 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/12/2018 -- 03:49:42 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/12/2018 -- 03:49:42 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/12/2018 -- 03:49:42 - <Config> - prefilter engines: MPM
22/12/2018 -- 03:49:42 - <Config> - IP reputation disabled
22/12/2018 -- 03:49:42 - <Perf> - Registered 148 keyword profiling counters.
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
22/12/2018 -- 03:49:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
22/12/2018 -- 03:49:43 - <Config> - No rules loaded from ET-emerging-icmp.rules.
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
22/12/2018 -- 03:49:43 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
22/12/2018 -- 03:49:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
22/12/2018 -- 03:49:46 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
22/12/2018 -- 03:49:47 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
22/12/2018 -- 03:49:47 - <Config> - No rules loaded from local.rules.
22/12/2018 -- 03:49:47 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
22/12/2018 -- 03:49:47 - <Info> - Threshold config parsed: 0 rule(s) found
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tcp-packet
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tcp-stream
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for udp-packet
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for other-ip
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_uri
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_request_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_client_body
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_response_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header_names
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_header_names
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept_enc
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_accept_lang
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_referer
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_connection
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_len
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_len
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_type
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_content_type
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_start
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_start
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_header
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_method
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_cookie
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_cookie
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_uri
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_user_agent
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_host
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_raw_host
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_stat_msg
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_stat_code
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dns_query
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_sni
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dce_stub_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for dce_stub_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_protocol
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_software
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for ssh_software
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for file_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for file_data
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_request_line
22/12/2018 -- 03:49:47 - <Perf> - using shared mpm ctx' for http_response_line
22/12/2018 -- 03:49:47 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
22/12/2018 -- 03:49:47 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/12/2018 -- 03:49:47 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
22/12/2018 -- 03:49:47 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
22/12/2018 -- 03:49:47 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
22/12/2018 -- 03:49:47 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
22/12/2018 -- 03:49:47 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
22/12/2018 -- 03:49:47 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/12/2018 -- 03:49:48 - <Perf> - Unique rule groups: 111
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver TCP packet": 31
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient TCP packet": 20
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver TCP stream": 31
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient TCP stream": 21
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toserver UDP packet": 33
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "toclient UDP packet": 15
22/12/2018 -- 03:49:48 - <Perf> - Builtin MPM "other IP packet": 2
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_uri": 8
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_header": 6
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_header": 3
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_header_names": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/12/2018 -- 03:49:48 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/12/2018 -- 03:49:48 - <Perf> - A

This file has been truncated. Go here to download in full.