Filename: fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: test-test
Runtime: 3.7397480011 seconds
Hash: b9077929a64ab5d8d6da135e501905cc
Uploaded: 1527887788

Logfiles


suricata-4.0.0-test-test-alert-2018-06-01-T-21-16-32-06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap.txt - (1379 bytes) - download
1
2
3
4
5
6
7
05/23/2018-20:06:15.688599  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:06:21.703836  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:06:33.735199  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:06:45.767867  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:06:57.798246  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:07:21.860303  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020
05/23/2018-20:08:09.876851  [**] [1:1003519:1] ETPRO TROJAN Win32.Pashas.RAT Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.21.10:1032 -> 204.95.99.109:27020


packet_stats.log - (6715 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            29           187701       11319846       7766971        225.2m   91.42
 IPv4      17             8          1212036        6552501       2641848         21.1m    8.58
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            29            75654         820650        206629          6.0m   50.07
TMM_FLOWWORKER              IPv4      17             8            50019        4954116        705388          5.6m   47.15
TMM_RECEIVEPCAPFILE         IPv4       6            25             3918           5331          4382        109.6k    0.92
TMM_RECEIVEPCAPFILE         IPv4      17             8             3987          15702          5761         46.1k    0.39
TMM_DECODEPCAPFILE          IPv4       6            25             3405           7236          4482        112.1k    0.94
TMM_DECODEPCAPFILE          IPv4      17             8             4083          32388          8055         64.4k    0.54

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            25             4242          22269          5512        137.8k  3.22  
flow                    IPv4      17             8             4170          19098          7673         61.4k  1.44  
stream                  IPv4       6            29             4794          81465         18532        537.4k  12.57 
app-layer               IPv4      17             8             3678          36936         13854        110.8k  2.59  
detect                  IPv4       6            29            27234         205722        101149          2.9m  68.60 
detect                  IPv4      17             8            26628          81840         46940        375.5k  8.78  
tcp-prune               IPv4       6            29             3438          10782          4136        120.0k  2.81  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
dns                     IPv4      17             2            13488          16383         14935         29.9k  100.00
Proto detect            IPv4       6             2             5766          23769         14767         29.5k
Proto detect            IPv4      17             4             5097          13446          8804         35.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             7            23538         105405         41645        291.5k  4.65  
LOGGER_UNIFIED2             IPv4       6             7            25368         326622         76185        533.3k  8.51  
LOGGER_JSON_ALERT           IPv4       6             7            65862         112518         76059        532.4k  8.50  
LOGGER_JSON_DNS             IPv4      17             2            93150        4816743       2454946          4.9m  78.34 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            19             5553          19773         12791       243.0k  100.00
Total                             IPv4                    19                                         12791       243.0k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4             3765           4281          4060         16.2k  0.60  
PROF_DETECT_IPONLY          IPv4      17             5             3939           9258          5521         27.6k  1.02  
PROF_DETECT_RULES           IPv4       6            25             3669         107049         24012        600.3k  22.23 
PROF_DETECT_STATEFUL_CONT    IPv4       6            25             3477           4860          3912         97.8k  3.62  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             5214          17709         11461         22.9k  0.85  
PROF_DETECT_PREFILTER       IPv4       6            25            12162          42735         31866        796.7k  29.50 
PROF_DETECT_PF_PAYLOAD      IPv4       6            19            12882          27108         20129        382.5k  14.16 
PROF_DETECT_PF_SORT2        IPv4       6            25             3585           5298          3897         97.4k  3.61  
PROF_DETECT_NONMPMLIST      IPv4       6            25             3612           4176          3796         94.9k  3.51  
PROF_DETECT_ALERT           IPv4       6            29             3600          18462          4491        130.2k  4.82  
PROF_DETECT_ALERT           IPv4      17             8             3588           6957          4305         34.4k  1.28  
PROF_DETECT_CLEANUP         IPv4       6            29             3693          34824          6069        176.0k  6.52  
PROF_DETECT_CLEANUP         IPv4      17             8             3780           8262          5052         40.4k  1.50  
PROF_DETECT_GETSGH          IPv4       6            29             3648           8199          4457        129.3k  4.79  
PROF_DETECT_GETSGH          IPv4      17             8             3738           9441          6677         53.4k  1.98  


unified2.alert.1527887790 - (4997 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
4[É·
×Oÿ

Ì_cmiŒ‘[É·[É·
×uþƒÐÜÍÒÀ¨…
Eg=@۩|

Ì_cmiŒA“Ž<¹PÿÿRÛ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
###########################################################
4[ɽ
½\Oÿ

Ì_cmiŒ‘[ɽ[ɽ
½\uþƒÐÜÍÒÀ¨…
EgD@۩u

Ì_cmiŒA“Ž<¹PÿÿRÛ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
###########################################################
4[ÉÉ7ßOÿ

Ì_cmiŒj[ÉÉ[ÉÉ7ßNþƒÐÜÍÒÀ¨…
E@F€éš

Ì_cmiŒA“Ž<¹Pÿÿøˆ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
######################4[ÉÕ·{Oÿ

Ì_cmiŒj[ÉÕ[ÉÕ·{NþƒÐÜÍÒÀ¨…
E@H€é˜

Ì_cmiŒA“Ž<¹Pÿÿøˆ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
######################4[Éá.&Oÿ

Ì_cmiŒ‘[Éá[Éá.&uþƒÐÜÍÒÀ¨…
EgJ@۩o

Ì_cmiŒA“Ž<¹PÿÿRÛ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
###########################################################
4[Éù
 Oÿ

Ì_cmiŒ‘[Éù[Éù
 uþƒÐÜÍÒÀ¨…
EgM@۩l

Ì_cmiŒA“Ž<¹PÿÿRÛ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
###########################################################
4[Ê)
a3Oÿ

Ì_cmiŒ‘[Ê)[Ê)
a3uþƒÐÜÍÒÀ¨…
EgO@۩j

Ì_cmiŒA“Ž<¹PÿÿRÛ>>=<<RON-AC13BF686B1-09E83B4A<<23052018-210605953.TXT<<515<<
##################### LAST TOKEN INFO #####################

###########################################################

##################### LAST KEY STROKE #####################

###########################################################

##################### INFECTION PATH  #####################
USER-PC-30BC39CB >> LENOVO-PC-7EBE2324 >> pyrocatechol-6F765CC8 >> FPVQBXTAIT-0286113D >> piteously-509D2A96 >> RON-AC13BF686B1-09E83B4A
###########################################################


stats.log - (2378 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
------------------------------------------------------------------------------------
Date: 6/1/2018 -- 21:16:32 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 33
decoder.bytes                              | Total                     | 18667
decoder.ipv4                               | Total                     | 33
decoder.ethernet                           | Total                     | 33
decoder.tcp                                | Total                     | 25
decoder.udp                                | Total                     | 8
decoder.avg_pkt_size                       | Total                     | 565
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 3
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.overlap                                | Total                     | 14
detect.alert                               | Total                     | 7
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 2
flow_mgr.new_pruned                        | Total                     | 1
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65535
flow_mgr.rows_empty                        | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (3294 bytes) - download
1
2
3
4
5
6
7
8
9
{"timestamp":"2018-05-23T20:06:12.584458+0000","flow_id":977950257507082,"pcap_cnt":7,"event_type":"dns","src_ip":"10.1.21.10","src_port":1031,"dest_ip":"143.215.130.30","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44529,"rrname":"yahhelper.no-ip.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-05-23T20:06:12.600330+0000","flow_id":977950257507082,"pcap_cnt":8,"event_type":"dns","src_ip":"143.215.130.30","src_port":53,"dest_ip":"10.1.21.10","dest_port":1031,"proto":"UDP","dns":{"type":"answer","id":44529,"rcode":"NOERROR","rrname":"yahhelper.no-ip.org","rrtype":"A","ttl":3600,"rdata":"204.95.99.109"}}
{"timestamp":"2018-05-23T20:06:15.688599+0000","flow_id":1866140904337809,"pcap_cnt":14,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:06:21.703836+0000","flow_id":1866140904337809,"pcap_cnt":22,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:06:33.735199+0000","flow_id":1866140904337809,"pcap_cnt":24,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:06:45.767867+0000","flow_id":1866140904337809,"pcap_cnt":26,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:06:57.798246+0000","flow_id":1866140904337809,"pcap_cnt":28,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:07:21.860303+0000","flow_id":1866140904337809,"pcap_cnt":30,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-05-23T20:08:09.876851+0000","flow_id":1866140904337809,"pcap_cnt":32,"event_type":"alert","src_ip":"10.1.21.10","src_port":1032,"dest_ip":"204.95.99.109","dest_port":27020,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":1003519,"rev":1,"signature":"ETPRO TROJAN Win32.Pashas.RAT Checkin","category":"A Network Trojan was detected","severity":1}}


suricata-report-2018-06-01-T-21-16-32-06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap.txt - (10751 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /tmp/Kcm1eG -l /var/www/html/b9077929a64ab5d8d6da135e501905cc154243fc44b01cb4a46d2a6305150445 -r /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap -vvv -k none
elapsedtime:1.848489
stderr:
stdout:
1/6/2018 -- 21:16:30 - <Notice> - This is Suricata version 4.0.0 RELEASE
1/6/2018 -- 21:16:30 - <Info> - CPUs/cores online: 1
1/6/2018 -- 21:16:30 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32685 and 'request-body-inspect-window' set to 16015 after randomization.
1/6/2018 -- 21:16:30 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32042 and 'response-body-inspect-window' set to 17006 after randomization.
1/6/2018 -- 21:16:30 - <Config> - DNS request flood protection level: 500
1/6/2018 -- 21:16:30 - <Config> - DNS per flow memcap (state-memcap): 524288
1/6/2018 -- 21:16:30 - <Config> - DNS global memcap: 16777216
1/6/2018 -- 21:16:30 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
1/6/2018 -- 21:16:30 - <Config> - preallocated 1000 hosts of size 136
1/6/2018 -- 21:16:30 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:16:30 - <Config> - using magic-file /usr/share/file/magic
1/6/2018 -- 21:16:30 - <Config> - Core dump size is unlimited.
1/6/2018 -- 21:16:30 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
1/6/2018 -- 21:16:30 - <Config> - preallocated 1000 defrag trackers of size 168
1/6/2018 -- 21:16:30 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
1/6/2018 -- 21:16:30 - <Config> - stream "prealloc-sessions": 2048 (per thread)
1/6/2018 -- 21:16:30 - <Config> - stream "memcap": 33554432
1/6/2018 -- 21:16:30 - <Config> - stream "midstream" session pickups: disabled
1/6/2018 -- 21:16:30 - <Config> - stream "async-oneside": disabled
1/6/2018 -- 21:16:30 - <Config> - stream "checksum-validation": disabled
1/6/2018 -- 21:16:30 - <Config> - stream."inline": disabled
1/6/2018 -- 21:16:30 - <Config> - stream "bypass": disabled
1/6/2018 -- 21:16:30 - <Config> - stream "max-synack-queued": 5
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly "memcap": 134217728
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly "depth": 0
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly "toserver-chunk-size": 2545
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly "toclient-chunk-size": 2552
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly.raw: enabled
1/6/2018 -- 21:16:30 - <Config> - stream.reassembly "segment-prealloc": 2048
1/6/2018 -- 21:16:30 - <Config> - Delayed detect disabled
1/6/2018 -- 21:16:30 - <Config> - pattern matchers: MPM: ac, SPM: bm
1/6/2018 -- 21:16:30 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
1/6/2018 -- 21:16:30 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
1/6/2018 -- 21:16:30 - <Config> - prefilter engines: MPM
1/6/2018 -- 21:16:30 - <Config> - IP reputation disabled
1/6/2018 -- 21:16:30 - <Perf> - Registered 148 keyword profiling counters.
1/6/2018 -- 21:16:30 - <Config> - Loading rule file: /tmp/tmp4mERRM
1/6/2018 -- 21:16:30 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
1/6/2018 -- 21:16:30 - <Info> - Threshold config parsed: 0 rule(s) found
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tcp-packet
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tcp-stream
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for udp-packet
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for other-ip
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_uri
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_client_body
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_header
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_header_names
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_accept
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_accept_enc
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_accept_lang
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_referer
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_connection
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_content_len
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_content_type
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_protocol
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_start
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_raw_header
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_method
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_cookie
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_raw_uri
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_user_agent
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_host
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_raw_host
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_stat_msg
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_stat_code
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for dns_query
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tls_sni
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tls_cert_issuer
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tls_cert_subject
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for tls_cert_serial
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for dce_stub_data
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for ssh_protocol
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for ssh_software
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for file_data
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_request_line
1/6/2018 -- 21:16:30 - <Perf> - using shared mpm ctx' for http_response_line
1/6/2018 -- 21:16:30 - <Info> - 1 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
1/6/2018 -- 21:16:30 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
1/6/2018 -- 21:16:30 - <Perf> - TCP toserver: 1 port groups, 1 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
1/6/2018 -- 21:16:30 - <Perf> - Unique rule groups: 1
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toserver TCP packet": 1
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toclient TCP packet": 0
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toserver TCP stream": 0
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toclient TCP stream": 0
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toserver UDP packet": 0
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "toclient UDP packet": 0
1/6/2018 -- 21:16:30 - <Perf> - Builtin MPM "other IP packet": 0
1/6/2018 -- 21:16:30 - <Perf> - Registered 1 rule profiling counters.
1/6/2018 -- 21:16:30 - <Info> - fast output device (regular) initialized: alert
1/6/2018 -- 21:16:30 - <Info> - eve-log output device (regular) initialized: eve.json
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'alert'
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'http'
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'dns'
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'tls'
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'files'
1/6/2018 -- 21:16:30 - <Config> - enabling 'eve-log' module 'ssh'
1/6/2018 -- 21:16:30 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
1/6/2018 -- 21:16:30 - <Info> - stats output device (regular) initialized: stats.log
1/6/2018 -- 21:16:30 - <Config> - AutoFP mode using "Hash" flow load balancer
1/6/2018 -- 21:16:30 - <Info> - reading pcap file /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap
1/6/2018 -- 21:16:30 - <Config> - using 1 flow manager threads
1/6/2018 -- 21:16:30 - <Config> - using 1 flow recycler threads
1/6/2018 -- 21:16:30 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
1/6/2018 -- 21:16:30 - <Info> - pcap file end of file reached (pcap err code 0)
1/6/2018 -- 21:16:30 - <Notice> - Signal Received.  Stopping engine.
1/6/2018 -- 21:16:31 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
1/6/2018 -- 21:16:31 - <Info> - time elapsed 0.775s
1/6/2018 -- 21:16:32 - <Perf> - 5 flows processed
1/6/2018 -- 21:16:32 - <Notice> - Pcap-file module read 33 packets, 18667 bytes
1/6/2018 -- 21:16:32 - <Perf> - AutoFP - Total flow handler queues - 1
1/6/2018 -- 21:16:32 - <Info> - Alerts: 7
1/6/2018 -- 21:16:32 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:16:32 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:16:32 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
1/6/2018 -- 21:16:32 - <Perf> - Dumping profiling data for 1 rules.
1/6/2018 -- 21:16:32 - <Perf> - Done dumping profiling data.
1/6/2018 -- 21:16:32 - <Perf> - Done dumping keyword profiling data.
1/6/2018 -- 21:16:32 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:


keyword_perf.log - (2596 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 6/1/2018 -- 21:16:32
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             28386           7               7               5385            4055.00         4055.00         0.00           
  content          134706          29              28              13374           4645.00         4333.00         13374.00       
  pcre             74742           7               7               40575           10677.00        10677.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             28386           7               7               5385            4055.00         4055.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          134706          29              28              13374           4645.00         4333.00         13374.00       
  pcre             74742           7               7               40575           10677.00        10677.00        0.00           


suricata-4.0.0-test-test-perf.txt-2018-06-01-T-21-16-32-06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap.txt - (597 bytes) - download
1
2
3
4
5
6
  --------------------------------------------------------------------------
  Date: 6/1/2018 -- 21:16:32. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1003519      1        1        468294       100.00 8        7        99129       58536.75    61383.00    38613.00   


IDSDeathBlossom.py.log - (1275 bytes) - download
1
2
3
4
5
6
7
8
9
2018-06-01 21:16:28,679 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-06-01 21:16:30,168 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-06-01 21:16:30,169 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-test-test
2018-06-01 21:16:30,173 - INFO - generate_config - /opt/IDSDeathBlossom/IDSDeathBlossom.py +162 - Loading glob result: ['/tmp/tmp4mERRM']
2018-06-01 21:16:30,174 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-06-01 21:16:30,174 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-06-01 21:16:30,174 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /tmp/Kcm1eG -l /var/www/html/b9077929a64ab5d8d6da135e501905cc154243fc44b01cb4a46d2a6305150445 -r /var/pcap/06012018.2115-fa32b52b373f91e055d90c00d0400c50-1.pcap.pcap -vvv -k none
2018-06-01 21:16:32,026 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-06-01 21:16:32,027 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 3.36396598816