Filename: fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: test-test
Runtime: 3.39864110947 seconds
Hash: b9077929a64ab5d8d6da135e501905cc
Uploaded: 1527887704

Logfiles


suricata-report-2018-06-01-T-21-15-08-06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap.txt - (12662 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/Bjb0YQ -l /var/www/html/b9077929a64ab5d8d6da135e501905cc030fbbf2f165873b947a474cd8f4c4b2 -r /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap -vvv -k none
elapsedtime:1.581957
stderr:
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "tcp-packet" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.tcp-packet.detection-enabled
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp-packet $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32.Pashas.RAT Checkin"; flow:to_server,established; content:">>"; depth:2; content:"|00|<<"; distance:1; within:3; content:"<<"; within:55; pcre:"/^\d{8}-\d+\.(?:JPG|TXT)<<\d+<</R"; content:"LAST TOKEN INFO"; distance:0; fast_pattern; reference:md5,fa32b52b373f91e055d90c00d0400c50; classtype:trojan-activity; sid:1003519; rev:1;)
" from file /tmp/tmpi4PjY8 at line 1
stdout:
1/6/2018 -- 21:15:06 - <Notice> - This is Suricata version 4.0.0 RELEASE
1/6/2018 -- 21:15:06 - <Info> - CPUs/cores online: 1
1/6/2018 -- 21:15:06 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32983 and 'request-body-inspect-window' set to 15663 after randomization.
1/6/2018 -- 21:15:06 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31935 and 'response-body-inspect-window' set to 16734 after randomization.
1/6/2018 -- 21:15:06 - <Config> - DNS request flood protection level: 500
1/6/2018 -- 21:15:06 - <Config> - DNS per flow memcap (state-memcap): 524288
1/6/2018 -- 21:15:06 - <Config> - DNS global memcap: 16777216
1/6/2018 -- 21:15:06 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
1/6/2018 -- 21:15:06 - <Config> - preallocated 1000 hosts of size 136
1/6/2018 -- 21:15:06 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:06 - <Config> - using magic-file /usr/share/file/magic
1/6/2018 -- 21:15:06 - <Config> - Core dump size is unlimited.
1/6/2018 -- 21:15:06 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
1/6/2018 -- 21:15:06 - <Config> - preallocated 1000 defrag trackers of size 168
1/6/2018 -- 21:15:06 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
1/6/2018 -- 21:15:06 - <Config> - stream "prealloc-sessions": 2048 (per thread)
1/6/2018 -- 21:15:06 - <Config> - stream "memcap": 33554432
1/6/2018 -- 21:15:06 - <Config> - stream "midstream" session pickups: disabled
1/6/2018 -- 21:15:06 - <Config> - stream "async-oneside": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "checksum-validation": disabled
1/6/2018 -- 21:15:06 - <Config> - stream."inline": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "bypass": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "max-synack-queued": 5
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "memcap": 134217728
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "depth": 0
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "toserver-chunk-size": 2573
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "toclient-chunk-size": 2604
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly.raw: enabled
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "segment-prealloc": 2048
1/6/2018 -- 21:15:06 - <Config> - Delayed detect disabled
1/6/2018 -- 21:15:06 - <Config> - pattern matchers: MPM: ac, SPM: bm
1/6/2018 -- 21:15:06 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1/6/2018 -- 21:15:06 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
1/6/2018 -- 21:15:06 - <Config> - prefilter engines: MPM
1/6/2018 -- 21:15:06 - <Config> - IP reputation disabled
1/6/2018 -- 21:15:06 - <Perf> - Registered 148 keyword profiling counters.
1/6/2018 -- 21:15:06 - <Config> - Loading rule file: /tmp/tmpi4PjY8
1/6/2018 -- 21:15:06 - <Config> - No rules loaded from /tmp/tmpi4PjY8.
1/6/2018 -- 21:15:06 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
1/6/2018 -- 21:15:06 - <Info> - Threshold config parsed: 0 rule(s) found
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tcp-packet
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tcp-stream
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for udp-packet
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for other-ip
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_uri
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_client_body
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept_enc
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept_lang
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_referer
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_connection
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_method
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_uri
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_user_agent
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_host
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_host
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_stat_msg
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_stat_code
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dns_query
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_sni
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_issuer
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_subject
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_serial
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:15:06 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
1/6/2018 -- 21:15:06 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
1/6/2018 -- 21:15:06 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - Unique rule groups: 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver TCP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient TCP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver TCP stream": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient TCP stream": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver UDP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient UDP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "other IP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Registered 0 rule profiling counters.
1/6/2018 -- 21:15:06 - <Info> - fast output device (regular) initialized: alert
1/6/2018 -- 21:15:06 - <Info> - eve-log output device (regular) initialized: eve.json
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'alert'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'http'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'dns'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'tls'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'files'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'ssh'
1/6/2018 -- 21:15:06 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
1/6/2018 -- 21:15:06 - <Info> - stats output device (regular) initialized: stats.log
1/6/2018 -- 21:15:06 - <Config> - AutoFP mode using "Hash" flow load balancer
1/6/2018 -- 21:15:06 - <Info> - reading pcap file /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap
1/6/2018 -- 21:15:06 - <Config> - using 1 flow manager threads
1/6/2018 -- 21:15:06 - <Config> - using 1 flow recycler threads
1/6/2018 -- 21:15:06 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
1/6/2018 -- 21:15:06 - <Info> - pcap file end of file reached (pcap err code 0)
1/6/2018 -- 21:15:06 - <Notice> - Signal Received.  Stopping engine.
1/6/2018 -- 21:15:07 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
1/6/2018 -- 21:15:07 - <Info> - time elapsed 0.421s
1/6/2018 -- 21:15:08 - <Perf> - 5 flows processed
1/6/2018 -- 21:15:08 - <Notice> - Pcap-file module read 33 packets, 18667 bytes
1/6/2018 -- 21:15:08 - <Perf> - AutoFP - Total flow handler queues - 1
1/6/2018 -- 21:15:08 - <Info> - Alerts: 0
1/6/2018 -- 21:15:08 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:08 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:15:08 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:08 - <Perf> - Dumping profiling data for 0 rules.
1/6/2018 -- 21:15:08 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:15:08 - <Perf> - Done dumping keyword profiling data.
1/6/2018 -- 21:15:08 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
- 1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "tcp-packet" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.tcp-packet.detection-enabled
- 1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp-packet $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32.Pashas.RAT Checkin"; flow:to_server,established; content:">>"; depth:2; content:"|00|<<"; distance:1; within:3; content:"<<"; within:55; pcre:"/^\d{8}-\d+\.(?:JPG|TXT)<<\d+<</R"; content:"LAST TOKEN INFO"; distance:0; fast_pattern; reference:md5,fa32b52b373f91e055d90c00d0400c50; classtype:trojan-activity; sid:1003519; rev:1;)
" from file /tmp/tmpi4PjY8 at line 1
warnings:
- 1/6/2018 -- 21:15:06 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!


packet_stats.log - (5359 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            29           139788        6041144       4756647        137.9m   89.66
 IPv4      17             8          1010372        4786836       1988907         15.9m   10.34
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            29            47196         119728         67724          2.0m   31.19
TMM_FLOWWORKER              IPv4      17             8            44792        3388512        503965          4.0m   64.03
TMM_RECEIVEPCAPFILE         IPv4       6            25             3632           5208          4006        100.2k    1.59
TMM_RECEIVEPCAPFILE         IPv4      17             8             3772          11752          4905         39.2k    0.62
TMM_DECODEPCAPFILE          IPv4       6            25             3644           6248          3947         98.7k    1.57
TMM_DECODEPCAPFILE          IPv4      17             8             3780          22624          7812         62.5k    0.99

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            25             3604           6720          4066        101.7k  5.41  
flow                    IPv4      17             8             3716          17624          7957         63.7k  3.39  
stream                  IPv4       6            29             3940          40620         11736        340.4k  18.12 
app-layer               IPv4      17             8             3392          30080         11879         95.0k  5.06  
detect                  IPv4       6            29            20428          61796         29102        844.0k  44.92 
detect                  IPv4      17             8            23776          67560         41404        331.2k  17.63 
tcp-prune               IPv4       6            29             2872           4660          3547        102.9k  5.48  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17             2            10960          12128         11544         23.1k  100.00
Proto detect            IPv4       6             2             4684           6368          5526         11.1k
Proto detect            IPv4      17             4             4220          11200          7369         29.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_DNS             IPv4      17             2           120584        3268076       1694330          3.4m  100.00

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4             3436           3856          3597         14.4k  2.68  
PROF_DETECT_IPONLY          IPv4      17             5             3628           6820          4727         23.6k  4.40  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             4368          12816          8592         17.2k  3.20  
PROF_DETECT_ALERT           IPv4       6            29             2828          20200          4179        121.2k  22.55 
PROF_DETECT_ALERT           IPv4      17             8             3392           6068          3928         31.4k  5.85  
PROF_DETECT_CLEANUP         IPv4       6            29             2848          25544          4475        129.8k  24.14 
PROF_DETECT_CLEANUP         IPv4      17             8             3376           7400          4463         35.7k  6.64  
PROF_DETECT_GETSGH          IPv4       6            29             2840           7332          4019        116.6k  21.68 
PROF_DETECT_GETSGH          IPv4      17             8             3388           8344          5960         47.7k  8.87  


stats.log - (2303 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
------------------------------------------------------------------------------------
Date: 6/1/2018 -- 21:15:08 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 33
decoder.bytes                              | Total                     | 18667
decoder.ipv4                               | Total                     | 33
decoder.ethernet                           | Total                     | 33
decoder.tcp                                | Total                     | 25
decoder.udp                                | Total                     | 8
decoder.avg_pkt_size                       | Total                     | 565
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 3
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.overlap                                | Total                     | 14
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 2
flow_mgr.new_pruned                        | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65535
flow_mgr.rows_empty                        | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (622 bytes) - download
1
2
{"timestamp":"2018-05-23T20:06:12.584458+0000","flow_id":1489897474288394,"pcap_cnt":7,"event_type":"dns","src_ip":"10.1.21.10","src_port":1031,"dest_ip":"143.215.130.30","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44529,"rrname":"yahhelper.no-ip.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-23T20:06:12.600330+0000","flow_id":1489897474288394,"pcap_cnt":8,"event_type":"dns","src_ip":"143.215.130.30","src_port":53,"dest_ip":"10.1.21.10","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44529,"rcode":"NOERROR","rrname":"yahhelper.no-ip.org","rrtype":"A","ttl":3600,"rdata":"204.95.99.109"}}


keyword_perf.log - (705 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 6/1/2018 -- 21:15:08
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


suricata-4.0.0-test-test-perf.txt-2018-06-01-T-21-15-08-06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap.txt - (469 bytes) - download
1
2
3
4
5
  --------------------------------------------------------------------------
  Date: 6/1/2018 -- 21:15:08. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 


IDSDeathBlossom.py.log - (15418 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
2018-06-01 21:15:05,131 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-06-01 21:15:06,450 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-06-01 21:15:06,450 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-test-test
2018-06-01 21:15:06,454 - INFO - generate_config - /opt/IDSDeathBlossom/IDSDeathBlossom.py +162 - Loading glob result: ['/tmp/tmpi4PjY8']
2018-06-01 21:15:06,455 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-06-01 21:15:06,455 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-06-01 21:15:06,455 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /tmp/Bjb0YQ -l /var/www/html/b9077929a64ab5d8d6da135e501905cc030fbbf2f165873b947a474cd8f4c4b2 -r /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap -vvv -k none
2018-06-01 21:15:08,054 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "tcp-packet" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.tcp-packet.detection-enabled
2018-06-01 21:15:08,055 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp-packet $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32.Pashas.RAT Checkin"; flow:to_server,established; content:">>"; depth:2; content:"|00|<<"; distance:1; within:3; content:"<<"; within:55; pcre:"/^\d{8}-\d+\.(?:JPG|TXT)<<\d+<</R"; content:"LAST TOKEN INFO"; distance:0; fast_pattern; reference:md5,fa32b52b373f91e055d90c00d0400c50; classtype:trojan-activity; sid:1003519; rev:1;)
" from file /tmp/tmpi4PjY8 at line 1
2018-06-01 21:15:08,056 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
1/6/2018 -- 21:15:06 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
2018-06-01 21:15:08,057 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-06-01 21:15:08,057 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/Bjb0YQ -l /var/www/html/b9077929a64ab5d8d6da135e501905cc030fbbf2f165873b947a474cd8f4c4b2 -r /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap -vvv -k none; returncode:0; elapsed:1.581957; Errors:
- 1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "tcp-packet" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.tcp-packet.detection-enabled
- 1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp-packet $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32.Pashas.RAT Checkin"; flow:to_server,established; content:">>"; depth:2; content:"|00|<<"; distance:1; within:3; content:"<<"; within:55; pcre:"/^\d{8}-\d+\.(?:JPG|TXT)<<\d+<</R"; content:"LAST TOKEN INFO"; distance:0; fast_pattern; reference:md5,fa32b52b373f91e055d90c00d0400c50; classtype:trojan-activity; sid:1003519; rev:1;)
" from file /tmp/tmpi4PjY8 at line 1

 Warnings:
- 1/6/2018 -- 21:15:06 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!

 stderr:
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "tcp-packet" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.tcp-packet.detection-enabled
1/6/2018 -- 21:15:06 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp-packet $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32.Pashas.RAT Checkin"; flow:to_server,established; content:">>"; depth:2; content:"|00|<<"; distance:1; within:3; content:"<<"; within:55; pcre:"/^\d{8}-\d+\.(?:JPG|TXT)<<\d+<</R"; content:"LAST TOKEN INFO"; distance:0; fast_pattern; reference:md5,fa32b52b373f91e055d90c00d0400c50; classtype:trojan-activity; sid:1003519; rev:1;)
" from file /tmp/tmpi4PjY8 at line 1

 stdout:
1/6/2018 -- 21:15:06 - <Notice> - This is Suricata version 4.0.0 RELEASE
1/6/2018 -- 21:15:06 - <Info> - CPUs/cores online: 1
1/6/2018 -- 21:15:06 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32983 and 'request-body-inspect-window' set to 15663 after randomization.
1/6/2018 -- 21:15:06 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31935 and 'response-body-inspect-window' set to 16734 after randomization.
1/6/2018 -- 21:15:06 - <Config> - DNS request flood protection level: 500
1/6/2018 -- 21:15:06 - <Config> - DNS per flow memcap (state-memcap): 524288
1/6/2018 -- 21:15:06 - <Config> - DNS global memcap: 16777216
1/6/2018 -- 21:15:06 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
1/6/2018 -- 21:15:06 - <Config> - preallocated 1000 hosts of size 136
1/6/2018 -- 21:15:06 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:06 - <Config> - using magic-file /usr/share/file/magic
1/6/2018 -- 21:15:06 - <Config> - Core dump size is unlimited.
1/6/2018 -- 21:15:06 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
1/6/2018 -- 21:15:06 - <Config> - preallocated 1000 defrag trackers of size 168
1/6/2018 -- 21:15:06 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
1/6/2018 -- 21:15:06 - <Config> - stream "prealloc-sessions": 2048 (per thread)
1/6/2018 -- 21:15:06 - <Config> - stream "memcap": 33554432
1/6/2018 -- 21:15:06 - <Config> - stream "midstream" session pickups: disabled
1/6/2018 -- 21:15:06 - <Config> - stream "async-oneside": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "checksum-validation": disabled
1/6/2018 -- 21:15:06 - <Config> - stream."inline": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "bypass": disabled
1/6/2018 -- 21:15:06 - <Config> - stream "max-synack-queued": 5
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "memcap": 134217728
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "depth": 0
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "toserver-chunk-size": 2573
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "toclient-chunk-size": 2604
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly.raw: enabled
1/6/2018 -- 21:15:06 - <Config> - stream.reassembly "segment-prealloc": 2048
1/6/2018 -- 21:15:06 - <Config> - Delayed detect disabled
1/6/2018 -- 21:15:06 - <Config> - pattern matchers: MPM: ac, SPM: bm
1/6/2018 -- 21:15:06 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1/6/2018 -- 21:15:06 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
1/6/2018 -- 21:15:06 - <Config> - prefilter engines: MPM
1/6/2018 -- 21:15:06 - <Config> - IP reputation disabled
1/6/2018 -- 21:15:06 - <Perf> - Registered 148 keyword profiling counters.
1/6/2018 -- 21:15:06 - <Config> - Loading rule file: /tmp/tmpi4PjY8
1/6/2018 -- 21:15:06 - <Config> - No rules loaded from /tmp/tmpi4PjY8.
1/6/2018 -- 21:15:06 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
1/6/2018 -- 21:15:06 - <Info> - Threshold config parsed: 0 rule(s) found
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tcp-packet
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tcp-stream
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for udp-packet
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for other-ip
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_uri
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_client_body
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept_enc
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_accept_lang
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_referer
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_connection
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_method
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_uri
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_user_agent
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_host
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_raw_host
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_stat_msg
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_stat_code
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dns_query
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_sni
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_issuer
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_subject
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for tls_cert_serial
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:15:06 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:15:06 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
1/6/2018 -- 21:15:06 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
1/6/2018 -- 21:15:06 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:15:06 - <Perf> - Unique rule groups: 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver TCP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient TCP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver TCP stream": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient TCP stream": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toserver UDP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "toclient UDP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Builtin MPM "other IP packet": 0
1/6/2018 -- 21:15:06 - <Perf> - Registered 0 rule profiling counters.
1/6/2018 -- 21:15:06 - <Info> - fast output device (regular) initialized: alert
1/6/2018 -- 21:15:06 - <Info> - eve-log output device (regular) initialized: eve.json
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'alert'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'http'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'dns'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'tls'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'files'
1/6/2018 -- 21:15:06 - <Config> - enabling 'eve-log' module 'ssh'
1/6/2018 -- 21:15:06 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
1/6/2018 -- 21:15:06 - <Info> - stats output device (regular) initialized: stats.log
1/6/2018 -- 21:15:06 - <Config> - AutoFP mode using "Hash" flow load balancer
1/6/2018 -- 21:15:06 - <Info> - reading pcap file /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap
1/6/2018 -- 21:15:06 - <Config> - using 1 flow manager threads
1/6/2018 -- 21:15:06 - <Config> - using 1 flow recycler threads
1/6/2018 -- 21:15:06 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
1/6/2018 -- 21:15:06 - <Info> - pcap file end of file reached (pcap err code 0)
1/6/2018 -- 21:15:06 - <Notice> - Signal Received.  Stopping engine.
1/6/2018 -- 21:15:07 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
1/6/2018 -- 21:15:07 - <Info> - time elapsed 0.421s
1/6/2018 -- 21:15:08 - <Perf> - 5 flows processed
1/6/2018 -- 21:15:08 - <Notice> - Pcap-file module read 33 packets, 18667 bytes
1/6/2018 -- 21:15:08 - <Perf> - AutoFP - Total flow handler queues - 1
1/6/2018 -- 21:15:08 - <Info> - Alerts: 0
1/6/2018 -- 21:15:08 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:08 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:15:08 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:15:08 - <Perf> - Dumping profiling data for 0 rules.
1/6/2018 -- 21:15:08 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:15:08 - <Perf> - Done dumping keyword profiling data.
1/6/2018 -- 21:15:08 - <Info> - cleaning up signature grouping structure... complete

 
2018-06-01 21:15:08,057 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 2.94166898727