Filename: PlugX-RAT-Related-Checkin.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 29.1012160778 seconds
Hash: c245b321c630f2940c793e0e36b123fb
Uploaded: 1576086453

Logfiles


packet_stats.log - (15912 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1            27         37359024      204072176     155554383          4.2b    8.56
 IPv4       2            10          9002846       97745454      38756883        387.6m    0.79
 IPv4       6            16        143437372      217481066     186258580          3.0b    6.07
 IPv4      17           323          9909886      218336330     128560063         41.5b   84.58
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1            27           131894         344040        204412          5.5m    2.34
TMM_FLOWWORKER              IPv4       2            10           132992         504116        175075          1.8m    0.74
TMM_FLOWWORKER              IPv4       6            16           117726        7613450        854949         13.7m    5.80
TMM_FLOWWORKER              IPv4      17           323           208336       18884930        652701        210.8m   89.42
TMM_RECEIVEPCAPFILE         IPv4       1            27             4838           6144          5420        146.4k    0.06
TMM_RECEIVEPCAPFILE         IPv4       2            10             4432           4898          4700         47.0k    0.02
TMM_RECEIVEPCAPFILE         IPv4       6            16             4432           5136          4800         76.8k    0.03
TMM_RECEIVEPCAPFILE         IPv4      17           323             4426          51278          5312          1.7m    0.73
TMM_DECODEPCAPFILE          IPv4       1            27             4622          24882          6306        170.3k    0.07
TMM_DECODEPCAPFILE          IPv4       2            10             4618          15662          5963         59.6k    0.03
TMM_DECODEPCAPFILE          IPv4       6            16             4570          24754          6260        100.2k    0.04
TMM_DECODEPCAPFILE          IPv4      17           323             4564          22110          5231          1.7m    0.72

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1            27             5760          25790          7285        196.7k  0.10  
flow                    IPv4       6            16             5402           8802          6494        103.9k  0.05  
flow                    IPv4      17           323             4890          48518          8511          2.7m  1.43  
stream                  IPv4       6            16             5134         857316         88213          1.4m  0.73  
app-layer               IPv4      17           323             4470          86540         16214          5.2m  2.72  
detect                  IPv4       1            27           110548         313412        178294          4.8m  2.50  
detect                  IPv4       2            10           123642         494280        165285          1.7m  0.86  
detect                  IPv4       6            16            78970        6655418        676533         10.8m  5.63  
detect                  IPv4      17           323           179468       18843488        511330        165.2m  85.90 
tcp-prune               IPv4       6            16             4520          24002          7447        119.2k  0.06  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1            37144          37144         37144         37.1k  2.24  
dns                     IPv4      17           208             5300          40576          7807          1.6m  97.76 
Proto detect            IPv4      17           207             4780          43340          7025          1.5m

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           184768         184768        184768        184.8k  0.92  
LOGGER_UNIFIED2             IPv4       6             1           165696         165696        165696        165.7k  0.82  
LOGGER_JSON_ALERT           IPv4       6             1           167510         167510        167510        167.5k  0.83  
LOGGER_JSON_DNS             IPv4      17           116            33220       11656264        167367         19.4m  96.43 
LOGGER_JSON_HTTP            IPv4       6             1            97320          97320         97320         97.3k  0.48  
LOGGER_JSON_FILE            IPv4       6             1           104212         104212        104212        104.2k  0.52  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       1            27             7456          33082         16116       435.2k  4.49  
payload                           IPv4       6             4             5410         486394        193331       773.3k  7.99  
payload                           IPv4      17           323             5312         802774         21139         6.8m  70.53 
stream                            IPv4       6             4             4954         209406        106784       427.1k  4.41  
http_uri                          IPv4       6             1            23418          23418         23418        23.4k  0.24  
http_request_line                 IPv4       6             1            22766          22766         22766        22.8k  0.24  
http_client_body                  IPv4       6             1             6214           6214          6214         6.2k  0.06  
http_header (request)             IPv4       6             1           193140         193140        193140       193.1k  1.99  
http_header (request trailer)     IPv4       6             1             4562           4562          4562         4.6k  0.05  
http_header_names (request)       IPv4       6             1            40940          40940         40940        40.9k  0.42  
http_accept (request)             IPv4       6             1            14358          14358         14358        14.4k  0.15  
http_referer (request)            IPv4       6             1             5758           5758          5758         5.8k  0.06  
http_content_len (request)        IPv4       6             1            11590          11590         11590        11.6k  0.12  
http_content_type (request)       IPv4       6             1             6018           6018          6018         6.0k  0.06  
http_protocol (request)           IPv4       6             1            10448          10448         10448        10.4k  0.11  
http_start (request)              IPv4       6             1            37018          37018         37018        37.0k  0.38  
http_raw_header (request)         IPv4       6             1            34190          34190         34190        34.2k  0.35  
http_method                       IPv4       6             1            10350          10350         10350        10.4k  0.11  
http_cookie (request)             IPv4       6             1            11730          11730         11730        11.7k  0.12  
http_raw_uri                      IPv4       6             1             8792           8792          8792         8.8k  0.09  
http_user_agent                   IPv4       6             1            74536          74536         74536        74.5k  0.77  
http_host                         IPv4       6             1             8202           8202          8202         8.2k  0.08  
dns_query                         IPv4      17            58             4916          23994          9495       550.7k  5.69  
http_response_line                IPv4       6             1            12782          12782         12782        12.8k  0.13  
http_header (response)            IPv4       6             1            82806          82806         82806        82.8k  0.86  
http_header (response trailer)    IPv4       6             1             4572           4572          4572         4.6k  0.05  
http_content_type (response)      IPv4       6             1            14892          14892         14892        14.9k  0.15  
http_raw_header (response)        IPv4       6             1            15710          15710         15710        15.7k  0.16  
http_cookie (response)            IPv4       6             1             5336           5336          5336         5.3k  0.06  
http_stat_code                    IPv4       6             1             7046           7046          7046         7.0k  0.07  
Total                             IPv4                   441                                         21953         9.7m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       1            14            41744          84320         48700        681.8k  0.37  
PROF_DETECT_IPONLY          IPv4       2            10            41524         405824         81355        813.6k  0.44  
PROF_DETECT_IPONLY          IPv4       6             4            18892         189016         89097        356.4k  0.19  
PROF_DETECT_IPONLY          IPv4      17           211             5746         159936         44016          9.3m  4.99  
PROF_DETECT_RULES           IPv4       1            27            14136          77898         29904        807.4k  0.43  
PROF_DETECT_RULES           IPv4       2            10             4420           5154          4618         46.2k  0.02  
PROF_DETECT_RULES           IPv4       6            16             4450        5622634        399293          6.4m  3.44  
PROF_DETECT_RULES           IPv4      17           323            76608       18720250        327908        105.9m  56.96 
PROF_DETECT_STATEFUL_START    IPv4       6             3             9190        3345362       1164580          3.5m  1.88  
PROF_DETECT_STATEFUL_CONT    IPv4       1            27             4422           5764          4848        130.9k  0.07  
PROF_DETECT_STATEFUL_CONT    IPv4       2            10             4400           4872          4512         45.1k  0.02  
PROF_DETECT_STATEFUL_CONT    IPv4       6            16             4422          13534          7310        117.0k  0.06  
PROF_DETECT_STATEFUL_CONT    IPv4      17           323             4398         426760          8216          2.7m  1.43  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             6             4642           6644          5310         31.9k  0.02  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17           116             4534          32104          5157        598.3k  0.32  
PROF_DETECT_PREFILTER       IPv4       1            27            35714          78296         54733          1.5m  0.79  
PROF_DETECT_PREFILTER       IPv4       2            10            13626          17688         14813        148.1k  0.08  
PROF_DETECT_PREFILTER       IPv4       6            16            13690         925870        157764          2.5m  1.36  
PROF_DETECT_PREFILTER       IPv4      17           323            41444         845194         68198         22.0m  11.85 
PROF_DETECT_PF_PAYLOAD      IPv4       1            27            16758          43414         25460        687.4k  0.37  
PROF_DETECT_PF_PAYLOAD      IPv4       6             4           227522         505174        314645          1.3m  0.68  
PROF_DETECT_PF_PAYLOAD      IPv4      17           323            14198         812316         31178         10.1m  5.42  
PROF_DETECT_PF_TX           IPv4       6             6             4898         634916        141390        848.3k  0.46  
PROF_DETECT_PF_TX           IPv4      17            58            13970          35452         19637          1.1m  0.61  
PROF_DETECT_PF_SORT1        IPv4       1            24             4508           5712          4711        113.1k  0.06  
PROF_DETECT_PF_SORT1        IPv4       6             4             4820          25136         12139         48.6k  0.03  
PROF_DETECT_PF_SORT1        IPv4      17           323             4464          36164          6267          2.0m  1.09  
PROF_DETECT_PF_SORT2        IPv4       1            27             4492           6128          4893        132.1k  0.07  
PROF_DETECT_PF_SORT2        IPv4       2            10             4408           4866          4518         45.2k  0.02  
PROF_DETECT_PF_SORT2        IPv4       6            16             4440          26906          7975        127.6k  0.07  
PROF_DETECT_PF_SORT2        IPv4      17           323             4446          38356          5375          1.7m  0.93  
PROF_DETECT_NONMPMLIST      IPv4       1            27             4442          21984          5527        149.2k  0.08  
PROF_DETECT_NONMPMLIST      IPv4       2            10             4424           5104          4753         47.5k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       6            16             4826          27540          8238        131.8k  0.07  
PROF_DETECT_NONMPMLIST      IPv4      17           323             4412         448268          6489          2.1m  1.13  
PROF_DETECT_ALERT           IPv4       1            27             4428          34390          5798        156.5k  0.08  
PROF_DETECT_ALERT           IPv4       2            10             4414           4558          4467         44.7k  0.02  
PROF_DETECT_ALERT           IPv4       6            16             4436          28192          6271        100.3k  0.05  
PROF_DETECT_ALERT           IPv4      17           323             4422          49198          5256          1.7m  0.91  
PROF_DETECT_CLEANUP         IPv4       1            27             4530          22038          5380        145.3k  0.08  
PROF_DETECT_CLEANUP         IPv4       2            10             4410           4678          4480         44.8k  0.02  
PROF_DETECT_CLEANUP         IPv4       6            16             4566          33246          8631        138.1k  0.07  
PROF_DETECT_CLEANUP         IPv4      17           323             4416          36302          5408          1.7m  0.94  
PROF_DETECT_GETSGH          IPv4       1            27             4450           5986          4887        132.0k  0.07  
PROF_DETECT_GETSGH          IPv4       2            10             4636           5134          4810         48.1k  0.03  
PROF_DETECT_GETSGH          IPv4       6            16             4786          83398         15408        246.5k  0.13  
PROF_DETECT_GETSGH          IPv4      17           323             4432         104350         10065          3.3m  1.75  


suricata-4.0.0-etpro-all-alert-2019-12-11-T-17-48-02-12112019.1747-PlugX-RAT-Related-Checkin.pcap.txt - (197 bytes) - download
1
11/06/2019-04:46:17.446864  [**] [1:2810326:4] ETPRO TROJAN PlugX Related Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.56.101:49191 -> 54.251.180.52:443


stats.log - (3222 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 12/11/2019 -- 17:48:02 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 481
decoder.bytes                              | Total                     | 52122
decoder.ipv4                               | Total                     | 376
decoder.ethernet                           | Total                     | 481
decoder.tcp                                | Total                     | 16
decoder.udp                                | Total                     | 323
decoder.icmpv4                             | Total                     | 27
decoder.avg_pkt_size                       | Total                     | 108
decoder.max_pkt_size                       | Total                     | 842
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 153
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 1
tcp.rst                                    | Total                     | 3
detect.alert                               | Total                     | 1
detect.mpm_list                            | Total                     | 14
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 2
detect.match_list                          | Total                     | 16
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 58
app_layer.tx.dns_udp                       | Total                     | 58
app_layer.flow.failed_udp                  | Total                     | 95
flow_mgr.new_pruned                        | Total                     | 88
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 149
flow_mgr.flows_notimeout                   | Total                     | 61
flow_mgr.flows_timeout                     | Total                     | 88
flow_mgr.flows_removed                     | Total                     | 88
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65387
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7118944


eve.json - (45115 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{"timestamp":"2019-11-06T04:45:10.186949+0000","flow_id":550856664996421,"pcap_cnt":29,"event_type":"dns","src_ip":"192.168.56.101","src_port":52908,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42298,"rrname":"4.8.3.9.8.2.4.e.f.7.e.8.1.6.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:10.223951+0000","flow_id":875017174149839,"pcap_cnt":30,"event_type":"dns","src_ip":"192.168.56.101","src_port":59603,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59257,"rrname":"a.2.9.f.0.b.a.e.8.b.7.2.c.8.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:10.227829+0000","flow_id":1509349484034549,"pcap_cnt":31,"event_type":"dns","src_ip":"192.168.56.101","src_port":51292,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39834,"rrname":"116.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:10.237521+0000","flow_id":804745066749905,"pcap_cnt":32,"event_type":"dns","src_ip":"192.168.56.101","src_port":58815,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26119,"rrname":"8.6.c.6.6.a.3.7.b.2.c.a.5.4.8.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:10.241905+0000","flow_id":1003125311189233,"pcap_cnt":33,"event_type":"dns","src_ip":"192.168.56.101","src_port":58584,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49433,"rrname":"112.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:10.247254+0000","flow_id":1964663262070230,"pcap_cnt":34,"event_type":"dns","src_ip":"192.168.56.101","src_port":50409,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10911,"rrname":"115.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.173275+0000","flow_id":1999093867455707,"pcap_cnt":53,"event_type":"dns","src_ip":"192.168.56.101","src_port":52908,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42298,"rrname":"4.8.3.9.8.2.4.e.f.7.e.8.1.6.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.183265+0000","flow_id":1327760414329825,"pcap_cnt":58,"event_type":"dns","src_ip":"192.168.56.101","src_port":65401,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4694,"rrname":"4.2.0.2.f.7.6.9.6.5.b.5.a.7.9.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.185960+0000","flow_id":1156217273046632,"pcap_cnt":59,"event_type":"dns","src_ip":"192.168.56.101","src_port":62827,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61161,"rrname":"114.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.223630+0000","flow_id":686764462664078,"pcap_cnt":62,"event_type":"dns","src_ip":"192.168.56.101","src_port":51292,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39834,"rrname":"116.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.223770+0000","flow_id":1183314221689370,"pcap_cnt":63,"event_type":"dns","src_ip":"192.168.56.101","src_port":59603,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59257,"rrname":"a.2.9.f.0.b.a.e.8.b.7.2.c.8.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.233258+0000","flow_id":1999093867455707,"pcap_cnt":64,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":52908,"proto":"UDP","dns":{"type":"answer","id":42298,"rcode":"NXDOMAIN","rrname":"4.8.3.9.8.2.4.e.f.7.e.8.1.6.c.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:11.233258+0000","flow_id":1999093867455707,"pcap_cnt":64,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":52908,"proto":"UDP","dns":{"type":"answer","id":42298,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":3322}}
{"timestamp":"2019-11-06T04:45:11.239066+0000","flow_id":146242828477914,"pcap_cnt":69,"event_type":"dns","src_ip":"192.168.56.101","src_port":50409,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10911,"rrname":"115.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.239262+0000","flow_id":606948937934494,"pcap_cnt":70,"event_type":"dns","src_ip":"192.168.56.101","src_port":58584,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49433,"rrname":"112.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.239364+0000","flow_id":668165106804484,"pcap_cnt":71,"event_type":"dns","src_ip":"192.168.56.101","src_port":58815,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26119,"rrname":"8.6.c.6.6.a.3.7.b.2.c.a.5.4.8.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.278865+0000","flow_id":686764462664078,"pcap_cnt":77,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":51292,"proto":"UDP","dns":{"type":"answer","id":39834,"rcode":"NXDOMAIN","rrname":"116.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:11.282842+0000","flow_id":1183314221689370,"pcap_cnt":81,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":59603,"proto":"UDP","dns":{"type":"answer","id":59257,"rcode":"NXDOMAIN","rrname":"a.2.9.f.0.b.a.e.8.b.7.2.c.8.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:11.282842+0000","flow_id":1183314221689370,"pcap_cnt":81,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":59603,"proto":"UDP","dns":{"type":"answer","id":59257,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":1608}}
{"timestamp":"2019-11-06T04:45:11.294311+0000","flow_id":146242828477914,"pcap_cnt":84,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":50409,"proto":"UDP","dns":{"type":"answer","id":10911,"rcode":"NXDOMAIN","rrname":"115.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:11.294709+0000","flow_id":606948937934494,"pcap_cnt":85,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58584,"proto":"UDP","dns":{"type":"answer","id":49433,"rcode":"NXDOMAIN","rrname":"112.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:11.299203+0000","flow_id":668165106804484,"pcap_cnt":92,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58815,"proto":"UDP","dns":{"type":"answer","id":26119,"rcode":"NXDOMAIN","rrname":"8.6.c.6.6.a.3.7.b.2.c.a.5.4.8.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:11.299203+0000","flow_id":668165106804484,"pcap_cnt":92,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58815,"proto":"UDP","dns":{"type":"answer","id":26119,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":1609}}
{"timestamp":"2019-11-06T04:45:11.575603+0000","flow_id":1223515115604083,"pcap_cnt":105,"event_type":"dns","src_ip":"192.168.56.101","src_port":60622,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12275,"rrname":"8.8.8.8.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.575902+0000","flow_id":829445423745438,"pcap_cnt":106,"event_type":"dns","src_ip":"192.168.56.101","src_port":50186,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10957,"rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.576183+0000","flow_id":1118891859757751,"pcap_cnt":107,"event_type":"dns","src_ip":"192.168.56.101","src_port":49562,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27767,"rrname":"103.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.809299+0000","flow_id":697903460342099,"pcap_cnt":110,"event_type":"dns","src_ip":"192.168.56.101","src_port":58756,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28793,"rrname":"1.1.a.9.4.b.c.b.6.4.1.a.f.e.0.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:11.809842+0000","flow_id":1200674479496050,"pcap_cnt":111,"event_type":"dns","src_ip":"192.168.56.101","src_port":62206,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61031,"rrname":"109.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.174030+0000","flow_id":1041767132080078,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.56.101","src_port":62827,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61161,"rrname":"114.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.174171+0000","flow_id":1677213985974363,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.56.101","src_port":65401,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4694,"rrname":"4.2.0.2.f.7.6.9.6.5.b.5.a.7.9.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.229280+0000","flow_id":1041767132080078,"pcap_cnt":122,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":62827,"proto":"UDP","dns":{"type":"answer","id":61161,"rcode":"NXDOMAIN","rrname":"114.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:12.235855+0000","flow_id":1677213985974363,"pcap_cnt":126,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":65401,"proto":"UDP","dns":{"type":"answer","id":4694,"rcode":"NXDOMAIN","rrname":"4.2.0.2.f.7.6.9.6.5.b.5.a.7.9.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:12.235855+0000","flow_id":1677213985974363,"pcap_cnt":126,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":65401,"proto":"UDP","dns":{"type":"answer","id":4694,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":900}}
{"timestamp":"2019-11-06T04:45:12.565321+0000","flow_id":1375767411335241,"pcap_cnt":130,"event_type":"dns","src_ip":"192.168.56.101","src_port":49562,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27767,"rrname":"103.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.565416+0000","flow_id":1735329188454568,"pcap_cnt":131,"event_type":"dns","src_ip":"192.168.56.101","src_port":50186,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10957,"rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.565504+0000","flow_id":1725055626682624,"pcap_cnt":132,"event_type":"dns","src_ip":"192.168.56.101","src_port":60622,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12275,"rrname":"8.8.8.8.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.621401+0000","flow_id":1375767411335241,"pcap_cnt":133,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":49562,"proto":"UDP","dns":{"type":"answer","id":27767,"rcode":"NXDOMAIN","rrname":"103.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:12.624056+0000","flow_id":1725055626682624,"pcap_cnt":137,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":60622,"proto":"UDP","dns":{"type":"answer","id":12275,"rcode":"NOERROR","rrname":"8.8.8.8.in-addr.arpa","rrtype":"PTR","ttl":20948,"rdata":"dns.google"}}
{"timestamp":"2019-11-06T04:45:12.625718+0000","flow_id":1735329188454568,"pcap_cnt":138,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":50186,"proto":"UDP","dns":{"type":"answer","id":10957,"rcode":"NXDOMAIN","rrname":"d.5.e.3.c.c.d.5.1.4.5.0.2.6.1.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:12.625718+0000","flow_id":1735329188454568,"pcap_cnt":138,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":50186,"proto":"UDP","dns":{"type":"answer","id":10957,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":3320}}
{"timestamp":"2019-11-06T04:45:12.798812+0000","flow_id":1922319179591772,"pcap_cnt":148,"event_type":"dns","src_ip":"192.168.56.101","src_port":62206,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61031,"rrname":"109.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.798958+0000","flow_id":550775060705518,"pcap_cnt":149,"event_type":"dns","src_ip":"192.168.56.101","src_port":58756,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28793,"rrname":"1.1.a.9.4.b.c.b.6.4.1.a.f.e.0.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:12.854128+0000","flow_id":1922319179591772,"pcap_cnt":150,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":62206,"proto":"UDP","dns":{"type":"answer","id":61031,"rcode":"NXDOMAIN","rrname":"109.56.168.192.in-addr.arpa"}}
{"timestamp":"2019-11-06T04:45:12.858815+0000","flow_id":550775060705518,"pcap_cnt":151,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58756,"proto":"UDP","dns":{"type":"answer","id":28793,"rcode":"NXDOMAIN","rrname":"1.1.a.9.4.b.c.b.6.4.1.a.f.e.0.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:12.858815+0000","flow_id":550775060705518,"pcap_cnt":151,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58756,"proto":"UDP","dns":{"type":"answer","id":28793,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":1608}}
{"timestamp":"2019-11-06T04:45:13.544937+0000","flow_id":506794595668137,"pcap_cnt":170,"event_type":"dns","src_ip":"192.168.56.101","src_port":60753,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48123,"rrname":"7.3.f.a.1.6.1.d.7.6.0.1.9.2.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:13.554556+0000","flow_id":1631773232035388,"pcap_cnt":171,"event_type":"dns","src_ip":"192.168.56.101","src_port":58341,"dest_ip":"192.168.56.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10306,"rrname":"104.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:14.534093+0000","flow_id":1212253711509069,"pcap_cnt":180,"event_type":"dns","src_ip":"192.168.56.101","src_port":60753,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48123,"rrname":"7.3.f.a.1.6.1.d.7.6.0.1.9.2.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:14.550161+0000","flow_id":1086411169752337,"pcap_cnt":181,"event_type":"dns","src_ip":"192.168.56.101","src_port":58341,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10306,"rrname":"104.56.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}
{"timestamp":"2019-11-06T04:45:14.593763+0000","flow_id":1212253711509069,"pcap_cnt":182,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":60753,"proto":"UDP","dns":{"type":"answer","id":48123,"rcode":"NXDOMAIN","rrname":"7.3.f.a.1.6.1.d.7.6.0.1.9.2.0.4.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa"}}
{"timestamp":"2019-11-06T04:45:14.593763+0000","flow_id":1212253711509069,"pcap_cnt":182,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":60753,"proto":"UDP","dns":{"type":"answer","id":48123,"rcode":"NXDOMAIN","rrname":"ip6.arpa","rrtype":"SOA","ttl":1605}}
{"timestamp":"2019-11-06T04:45:14.606096+0000","flow_id":1086411169752337,"pcap_cnt":190,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.56.101","dest_port":58341,"prot

This file has been truncated. Go here to download in full.


keyword_perf.log - (10314 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 12/11/2019 -- 17:48:02
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             449814          74              74              21276           6078.00         6078.00         0.00           
  content          5169748         902             608             40174           5731.00         5709.00         5776.00        
  pcre             1460324         101             10              68240           14458.00        25871.00        13204.00       
  byte_test        2975780         550             343             56568           5410.00         5340.00         5525.00        
  byte_jump        41308           6               6               16402           6884.00         6884.00         0.00           
  isdataat         205182          38              0               25686           5399.00         0.00            5399.00        
  urilen           195662          28              13              38572           6987.00         6078.00         7776.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             449814          74              74              21276           6078.00         6078.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4289038         781             522             30906           5491.00         5463.00         5549.00        
  pcre             629146          70              0               68240           8987.00         0.00            8987.00        
  byte_test        2975780         550             343             56568           5410.00         5340.00         5525.00        
  byte_jump        41308           6               6               16402           6884.00         6884.00         0.00           
  isdataat         205182          38              0               25686           5399.00         0.00            5399.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          90876           15              7               7402            6058.00         5831.00         6257.00        
  pcre             392786          16              2               57626           24549.00        21867.00        24932.00       
  urilen           195662          28              13              38572           6987.00         6078.00         7776.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          476254          68              56              9616            7003.00         7044.00         6814.00        
  pcre             379932          11              5               54108           34539.00        34290.00        34746.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          44652           6               3               9366            7442.00         6692.00         8191.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12276           2               2               6288            6138.00         6138.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7502            1               1               7502            7502.00         7502.00         0.00           
  pcre             14934           1               0               14934           14934.00        0.00            14934.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28862           4               3               8372            7215.00         6974.00         7940.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             7332            1               1               7332            7332.00         7332.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          208998          23              14              40174           9086.00         8822.00         9498.00        
  pcre             36194           2               2               18690           18097.00        18097.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          11290           2               0               5676            5645.00         0.00            5645.00        


suricata-4.0.0-etpro-all-perf.txt-2019-12-11-T-17-48-02-12112019.1747-PlugX-RAT-Related-Checkin.pcap.txt - (20823 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 12/11/2019 -- 17:48:02. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2023626      1        3        19545572     24.69  195      0        18547668    100233.70   0.00        100233.70  
  2        2008120      1        4        7922688      10.01  323      0        6237036     24528.45    0.00        24528.45   
  3        2020741      1        1        1541344      1.95   19       0        511962      81123.37    0.00        81123.37   
  4        2803760      1        3        1936438      2.45   58       0        451122      33386.86    0.00        33386.86   
  5        2010143      1        3        2185978      2.76   254      0        429632      8606.21     0.00        8606.21    
  6        2023614      1        3        1526084      1.93   229      0        426326      6664.12     0.00        6664.12    
  7        2023616      1        3        769220       0.97   121      0        161604      6357.19     0.00        6357.19    
  8        2018358      1        7        160096       0.20   1        0        160096      160096.00   0.00        160096.00  
  9        2805348      1        4        599298       0.76   6        0        152146      99883.00    0.00        99883.00   
  10       2816909      1        2        151726       0.19   1        0        151726      151726.00   0.00        151726.00  
  11       2025064      1        5        148930       0.19   1        0        148930      148930.00   0.00        148930.00  
  12       2816940      1        2        143446       0.18   1        0        143446      143446.00   0.00        143446.00  
  13       2020388      1        8        140750       0.18   1        0        140750      140750.00   0.00        140750.00  
  14       2810326      1        4        134742       0.17   1        1        134742      134742.00   134742.00   0.00       
  15       2815254      1        7        129526       0.16   1        0        129526      129526.00   0.00        129526.00  
  16       2020742      1        1        1167242      1.47   19       0        123984      61433.79    0.00        61433.79   
  17       2821615      1        2        121910       0.15   1        0        121910      121910.00   0.00        121910.00  
  18       2816910      1        2        121122       0.15   1        0        121122      121122.00   0.00        121122.00  
  19       2011894      1        19       119680       0.15   1        0        119680      119680.00   0.00        119680.00  
  20       2820851      1        5        112580       0.14   1        0        112580      112580.00   0.00        112580.00  
  21       2022201      1        2        104064       0.13   1        0        104064      104064.00   0.00        104064.00  
  22       2815475      1        6        101724       0.13   1        0        101724      101724.00   0.00        101724.00  
  23       2021071      1        2        96996        0.12   1        0        96996       96996.00    0.00        96996.00   
  24       2018316      1        4        1169482      1.48   19       0        93832       61551.68    0.00        61551.68   
  25       2018452      1        15       93744        0.12   1        0        93744       93744.00    0.00        93744.00   
  26       2823788      1        4        390438       0.49   58       0        92734       6731.69     0.00        6731.69    
  27       2016223      1        10       91374        0.12   1        0        91374       91374.00    0.00        91374.00   
  28       2809850      1        2        852626       1.08   28       0        90984       30450.93    0.00        30450.93   
  29       2816927      1        3        90554        0.11   1        0        90554       90554.00    0.00        90554.00   
  30       2816356      1        2        89230        0.11   1        0        89230       89230.00    0.00        89230.00   
  31       2014701      1        12       2482836      3.14   117      0        88348       21220.82    0.00        21220.82   
  32       2828060      1        4        86608        0.11   1        0        86608       86608.00    0.00        86608.00   
  33       2828122      1        2        86110        0.11   1        0        86110       86110.00    0.00        86110.00   
  34       2816928      1        3        82610        0.10   1        0        82610       82610.00    0.00        82610.00   
  35       2017613      1        9        81282        0.10   1        0        81282       81282.00    0.00        81282.00   
  36       2816930      1        4        79290        0.10   1        0        79290       79290.00    0.00        79290.00   
  37       2816922      1        5        79178        0.10   1        0        79178       79178.00    0.00        79178.00   
  38       2819673      1        4        77020        0.10   1        0        77020       77020.00    0.00        77020.00   
  39       2003492      1        30       76434        0.10   1        0        76434       76434.00    0.00        76434.00   
  40       2828986      1        2        74900        0.09   1        0        74900       74900.00    0.00        74900.00   
  41       2014702      1        9        1800822      2.28   117      0        74822       15391.64    0.00        15391.64   
  42       2816929      1        4        74010        0.09   1        0        74010       74010.00    0.00        74010.00   
  43       2018666      1        4        1089778      1.38   19       0        73940       57356.74    0.00        57356.74   
  44       2022609      1        2        73196        0.09   1        0        73196       73196.00    0.00        73196.00   
  45       2816327      1        4        72884        0.09   1        0        72884       72884.00    0.00        72884.00   
  46       2022502      1        4        71774        0.09   1        0        71774       71774.00    0.00        71774.00   
  47       2010140      1        7        2744414      3.47   254      0        71554       10804.78    0.00        10804.78   
  48       2018958      1        18       70424        0.09   1        0        70424       70424.00    0.00        70424.00   
  49       2816525      1        10       69150        0.09   1        0        69150       69150.00    0.00        69150.00   
  50       2018242      1        5        68304        0.09   1        0        68304       68304.00    0.00        68304.00   
  51       2816328      1        5        67378        0.09   1        0        67378       67378.00    0.00        67378.00   
  52       2025200      1        1        639420       0.81   116      0        66978       5512.24     0.00        5512.24    
  53       2023612      1        4        966294       1.22   183      0        65414       5280.30     0.00        5280.30    
  54       2815817      1        5        63734        0.08   1        0        63734       63734.00    0.00        63734.00   
  55       2019344      1        5        62884        0.08   1        0        62884       62884.00    0.00        62884.00   
  56       2812918      1        3        62088        0.08   1        0        62088       62088.00    0.00        62088.00   
  57       2023621      1        4        961576       1.21   189      0        61204       5087.70     0.00        5087.70    
  58       2815748      1        2        59254        0.07   1        0        59254       59254.00    0.00        59254.00   
  59       2816925      1        3        59228        0.07   1        0        59228       59228.00    0.00        59228.00   
  60       2009702      1        5        1135276      1.43   117      0        58764       9703.21     0.00        9703.21    
  61       2014703      1        9        1777910      2.25   117      0        58150       15195.81    0.00        15195.81   
  62       2019881      1        3        57312        0.07   1        0        57312       57312.00    0.00        57312.00   
  63       2022545      1        1        564206       0.71   19       0        57120       29695.05    0.00        29695.05   
  64       2811274      1        7        53830        0.07   1        0        53830       53830.00    0.00        53830.00   
  65       2018981      1        4        52012        0.07   1        0        52012       52012.00    0.00        52012.00   
  66       2809859      1        6        51860        0.07   1        0        51860       51860.00    0.00        51860.00   
  67       2016858      1        10       50878        0.06   1        0        50878       50878.00    0.00        50878.00   
  68       2812916      1        6        50814        0.06   1        0        50814       50814.00    0.00        50814.00   
  69       2024178      1        2        50634        0.06   1        0        50634       50634.00    0.00        50634.00   
  70       2018496      1        9        50224        0.06   1        0        50224       50224.00    0.00        50224.00   
  71       2821561      1        2        49512        0.06   1        0        49512       49512.00    0.00        49512.00   
  72       2019230      1        2        49460        0.06   1        0        49460       49460.00    0.00        49460.00   
  73       2023618      1        3        1181092      1.49   240      0        49288       4921.22     0.00        4921.22    
  74       2816526      1        13       48914        0.06   1        0        48914       48914.00    0.00        48914.00   
  75       2809682      1        5        48352        0.06   1        0        48352       48352.00    0.00        48352.00   
  76       2830701      1        1        47990        0.06   1        0        47990       47990.00    0.00        47990.00   
  77       2816924      1        4        47706        0.06   1        0        47706       47706.00    0.00        47706.00   
  78       2829848      1        2        47420        0.06   1        0        47420       47420.00    0.00        47420.00   
  79       2022531      1        1        502146       0.63   19       0        46302       26428.74    0.00        26428.74   
  80       2816931      1        3        46256        0.06   1        0        46256       46256.00    0.00        46256.00   
  81       2018983      1        7        46074        0.06   1        0        46074       46074.00    0.00        46074.00   
  82       2826281      1        2        1518568      1.92   58       0        45030       26182.21    0.00        26182.21   
  83       2023627      1        3        924730       1.17   186      0        45028       4971.67     0.00        4971.67    
  84       2008117      1        3        838254       1.06   142      0        43710       5903.20     0.00        5903.20    
  85       2023624      1        3        778796       0.98   146      0        42780       5334.22     0.00        5334.22    
  86       2012612      1        16       40712        0.05   1        0        40712       40712.00    0.00        40712.00   
  87       2816669      1        4        39926        0.05   1        0        39926       39926.00    0.00        39926.00   
  88       2020380      1        3        39268        0.05   1        0        39268       39268.00    0.00        39268.00   
  89       2003657      1        18       39086        0.05   1        0        39086       39086.00    0.00        39086.00   
  90       2017552      1        6        63366        0.08   2        0        38966       31683.00    0.00        31683.00   
  91       2013739      1        15       1022224      1.29   207      0        38938       4938.28     0.00        4938.28    
  92       2826256      1        2        38698        0.05   1        0        38698       38698.00    0.00        38698.00   
  93       2020705      1        4        38672        0.05   1        0        38672       38672.00    0.00        38672.00   
  94       2827279      1        5        38598        0.05   1        0        38598       38598.00    0.00        38598.00   
  95       2804626      1        9        38514        0.05   1        0        38514       38514.00    0.00        38514.00   
  96       2017703      1        3        38068        0.05   1        0        38068       38068.00    0.00        38068.00   
  97       2816165      1        5        37838        0.05   1        0        37838       37838.00    0.00        37838.00   
  98       2017731      1        3        36750        0.05   1        0        36750       36750.00    0.00        36750.00   
  99       2018010      1        5        36676        0.05   1        0        36676       36676.00    0.00        36676.00   
  100      2809547      1        5        36300        0.05   1        0        36300       36300.00    0.00        36300.00   
  101      2805260      1        4        35898        0.05   1        0        35898       35898.00    0.00        35898.00   
  102      2802026      1        1        671730       0.85   123      0        35666       5461.22     0.00        5461.22    
  103      2828008      1        2        35580        0.04   1        0        35580       35580.00    0.00        35580.00   
  104      2019016      1        3        57472        0.07   6        0        34348       9578.67     0.00        9578.67    
  105      2023622      1        3        1526212      1.93   323      0        26850       4725.11     0.00        4725.11    
  106      2811544      1        1        26176        0.03   1        0        26176       26176.00    0.00        26176.00   
  107      2023613      1        3        979780       1.24   196      0        26076       4998.88     0.00        4998.88    
  108      2016537      1        2        26054        0.03   1        0        26054       26054.00    0.00        26054.00   
  109      2811577      1        2        25434        0.03   1        0        25434       25434.00    0.00        25434.00   
  110      2023625      1        3        1060850      1.34   212      0        24958       5004.01     0.00        5004.01    
  111      2023617      1        3        789914       1.00   160      0        24828       4936.96     0.00        4936.96    
  112      2022914      1        1        100880       0.13   6        0        23610       16813.33    0.00        16813.33   
  113      2023620      1        3        1356340      1.71   284      0        23548       4775.85     0.00        4775.85    
  114      2802822      1        1        724674       0.92   142      0        23440       5103.34     0.00        5103.34    
  115      2022331      1        3        139458       0.18   24       0        22758       5810.75     0.00        5810.75    
  116      2013075      1        8        285366       0.36   58       0        21842       4920.10     0.00        4920.10    
  117      2010142      1        4        1189184      1.50   254      0        21744       4681.83     0.00        4681.83    
  118      2802081      1        1        1231974      1.56   246      0        21552       5008.02     0.00        5008.02    
  119      2008118      1        3        285646       0.36   58       0        21464       4924.93     0.00        4924.93    
  120      2023623      1        3        668822       0.84   141      0        21388       4743.42     0.00        4743.42    
  121      2805211      1        1        94034        0.12   6        0        19728       15672.33    0.00        15672.33   
  122      2009243      1        2        277154       0.35   58       0        8910        4778.52     0.00        4778.52    
  123      2100540      1        12       15974        0.02   2        0        8062        7987.00     0.00        7987.00    
  124      2828877      1        1        7842         0.01   1        0        7842        7842.00     0.00        7842.00    
  125      2100540      1        12       

This file has been truncated. Go here to download in full.


suricata-report-2019-12-11-T-17-48-02-12112019.1747-PlugX-RAT-Related-Checkin.pcap.txt - (17900 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c245b321c630f2940c793e0e36b123fb56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12112019.1747-PlugX-RAT-Related-Checkin.pcap -vvv -k none
elapsedtime:27.958626
stderr:
stdout:
11/12/2019 -- 17:47:34 - <Info> - Configuration node 'rule-files' redefined.
11/12/2019 -- 17:47:34 - <Notice> - This is Suricata version 4.0.0 RELEASE
11/12/2019 -- 17:47:34 - <Info> - CPUs/cores online: 1
11/12/2019 -- 17:47:34 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32319 and 'request-body-inspect-window' set to 16303 after randomization.
11/12/2019 -- 17:47:34 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32203 and 'response-body-inspect-window' set to 17143 after randomization.
11/12/2019 -- 17:47:34 - <Config> - DNS request flood protection level: 500
11/12/2019 -- 17:47:34 - <Config> - DNS per flow memcap (state-memcap): 524288
11/12/2019 -- 17:47:34 - <Config> - DNS global memcap: 16777216
11/12/2019 -- 17:47:34 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/12/2019 -- 17:47:34 - <Config> - preallocated 1000 hosts of size 136
11/12/2019 -- 17:47:34 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
11/12/2019 -- 17:47:34 - <Config> - using magic-file /usr/share/file/magic
11/12/2019 -- 17:47:34 - <Config> - Core dump size is unlimited.
11/12/2019 -- 17:47:34 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
11/12/2019 -- 17:47:34 - <Config> - preallocated 1000 defrag trackers of size 168
11/12/2019 -- 17:47:34 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
11/12/2019 -- 17:47:34 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/12/2019 -- 17:47:34 - <Config> - stream "memcap": 33554432
11/12/2019 -- 17:47:34 - <Config> - stream "midstream" session pickups: disabled
11/12/2019 -- 17:47:34 - <Config> - stream "async-oneside": disabled
11/12/2019 -- 17:47:34 - <Config> - stream "checksum-validation": disabled
11/12/2019 -- 17:47:34 - <Config> - stream."inline": disabled
11/12/2019 -- 17:47:34 - <Config> - stream "bypass": disabled
11/12/2019 -- 17:47:34 - <Config> - stream "max-synack-queued": 5
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly "memcap": 134217728
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly "depth": 0
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly "toserver-chunk-size": 2596
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly "toclient-chunk-size": 2583
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly.raw: enabled
11/12/2019 -- 17:47:34 - <Config> - stream.reassembly "segment-prealloc": 2048
11/12/2019 -- 17:47:34 - <Config> - Delayed detect disabled
11/12/2019 -- 17:47:34 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/12/2019 -- 17:47:34 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/12/2019 -- 17:47:34 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/12/2019 -- 17:47:34 - <Config> - prefilter engines: MPM
11/12/2019 -- 17:47:34 - <Config> - IP reputation disabled
11/12/2019 -- 17:47:34 - <Perf> - Registered 148 keyword profiling counters.
11/12/2019 -- 17:47:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
11/12/2019 -- 17:47:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
11/12/2019 -- 17:47:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
11/12/2019 -- 17:47:40 - <Config> - No rules loaded from ET-icmp.rules.
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
11/12/2019 -- 17:47:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
11/12/2019 -- 17:47:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
11/12/2019 -- 17:47:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
11/12/2019 -- 17:47:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
11/12/2019 -- 17:47:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
11/12/2019 -- 17:47:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
11/12/2019 -- 17:47:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
11/12/2019 -- 17:47:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
11/12/2019 -- 17:47:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
11/12/2019 -- 17:47:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
11/12/2019 -- 17:47:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
11/12/2019 -- 17:47:49 - <Config> - No rules loaded from local.rules.
11/12/2019 -- 17:47:49 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
11/12/2019 -- 17:47:49 - <Info> - Threshold config parsed: 0 rule(s) found
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tcp-packet
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tcp-stream
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for udp-packet
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for other-ip
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_uri
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_request_line
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_client_body
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_response_line
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_header
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_header
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_header_names
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_header_names
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_accept
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_accept_enc
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_accept_lang
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_referer
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_connection
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_content_len
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_content_len
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_content_type
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_content_type
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_protocol
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_protocol
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_start
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_start
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_raw_header
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_raw_header
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_method
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_cookie
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_cookie
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_raw_uri
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_user_agent
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_host
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_raw_host
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_stat_msg
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_stat_code
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for dns_query
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tls_sni
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for dce_stub_data
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for dce_stub_data
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for ssh_protocol
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for ssh_protocol
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for ssh_software
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for ssh_software
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for file_data
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for file_data
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_request_line
11/12/2019 -- 17:47:49 - <Perf> - using shared mpm ctx' for http_response_line
11/12/2019 -- 17:47:50 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
11/12/2019 -- 17:47:50 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/12/2019 -- 17:47:50 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
11/12/2019 -- 17:47:50 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
11/12/2019 -- 17:47:50 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/12/2019 -- 17:47:50 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
11/12/2019 -- 17:47:50 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
11/12/2019 -- 17:47:50 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
11/12/2019 -- 17:47:57 - <Perf> - Unique rule groups: 104
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toserver TCP packet": 35
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toclient TCP packet": 17
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toserver TCP stream": 33
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toclient TCP stream": 19
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toserver UDP packet": 27
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "toclient UDP packet": 17
11/12/2019 -- 17:47:57 - <Perf> - Builtin MPM "other IP packet": 3
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_uri": 14
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_request_line": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_client_body": 6
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_response_line": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_header": 10
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_header": 6
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_header_names": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_accept": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_referer": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_content_len": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_content_type": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_content_type": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_protocol": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_start": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_method": 5
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_cookie": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_cookie": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver http_host": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver dns_query": 4
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver tls_sni": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toserver file_data": 1
11/12/2019 -- 17:47:57 - <Perf> - AppLayer MPM "toclient file_data": 7
11/12/2019 -- 17:48:00 - <Perf> - Registered 39590 rule profiling counters.
11/12/2019 -- 17:48:00 - <Info> - fast output device (regular) initialized: alert
11/12/2019 -- 17:48:00 - <Info> - eve-log output device (regular) initialized: eve.json
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'alert'
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'http'
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'dns'
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'tls'
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'files'
11/12/2019 -- 17:48:00 - <Config> - enabling 'eve-log' module 'ssh'
11/12/2019 -- 17:48:00 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
11/12/2019 -- 17:48:00 - <Info> - stats output device (regular) initialized: stats.log
11/12/2019 -- 17:48:00 - <Config> - AutoFP mode us

This file has been truncated. Go here to download in full.


unified2.alert.1576086480 - (489 bytes) - download
1
2
3
4
5
6
7
4]ÂPѐ*áÖÀ¨8e6û´4À'»¥]ÂP]ÂPѐ‰E{Õ@À¨8e6û´4À'»P!ŒGET /188295CDA6C1E373C83A9AC1 HTTP/1.1
Accept: */*
Cookie: kCd9Zroj2jP0keMW4Ed8sLEUL04=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 54.251.180.52:443
Connection: Keep-Alive
Cache-Control: no-cache


IDSDeathBlossom.py.log - (1164 bytes) - download
1
2
3
4
5
6
7
8
2019-12-11 17:47:33,685 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-12-11 17:47:34,508 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-12-11 17:47:34,508 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-12-11 17:47:34,509 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-12-11 17:47:34,509 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-12-11 17:47:34,509 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c245b321c630f2940c793e0e36b123fb56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12112019.1747-PlugX-RAT-Related-Checkin.pcap -vvv -k none
2019-12-11 17:48:02,471 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-12-11 17:48:02,472 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 28.797369957