Filename: 2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 11.3477139473 seconds
Hash: c357afa0377d79ac7960d0f4c9dce2d7
Uploaded: 1558339772

Logfiles


packet_stats.log - (14600 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       2            11          7988077     1368357333    1239525044         13.6b    0.15
 IPv4       6          8888          1598884     1385732532    1021033525       9074.9b   98.25
 IPv4      17           170          7094818     1378005769     869446661        147.8b    1.60
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       2            11            72088         112961         84246        926.7k    0.05
TMM_FLOWWORKER              IPv4       6          8888            67184       13376185        206392          1.8b   94.07
TMM_FLOWWORKER              IPv4      17           170           123805        6735366        249300         42.4m    2.17
TMM_RECEIVEPCAPFILE         IPv4       2            11             2544           2840          2617         28.8k    0.00
TMM_RECEIVEPCAPFILE         IPv4       6          8863             2542         740061          3069         27.2m    1.39
TMM_RECEIVEPCAPFILE         IPv4      17           170             2545          38162          3013        512.2k    0.03
TMM_DECODEPCAPFILE          IPv4       2            11             2660           3621          2965         32.6k    0.00
TMM_DECODEPCAPFILE          IPv4       6          8863             2654        4542167          4956         43.9m    2.25
TMM_DECODEPCAPFILE          IPv4      17           170             2675          87630          3901        663.2k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          8863             2812        5290370          3914         34.7m  2.02  
flow                    IPv4      17           170             2822          39508          4764        809.9k  0.05  
stream                  IPv4       6          8888             2665        7654741          8029         71.4m  4.16  
app-layer               IPv4      17           170             2535          50896          7049          1.2m  0.07  
detect                  IPv4       2            11            66636         105367         77207        849.3k  0.05  
detect                  IPv4       6          8888            45198       13313140        174191          1.5b  90.28 
detect                  IPv4      17           170           107896         372619        172910         29.4m  1.71  
tcp-prune               IPv4       6          8888             2543        1580344          3182         28.3m  1.65  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            18             3514          70005         10630        191.3k  27.22 
http                    IPv4      17             6             2750          19047          5566         33.4k  4.75  
tls                     IPv4       6            32             2623          65811          5835        186.8k  26.56 
dns                     IPv4      17            37             3881          25949          7878        291.5k  41.47 
Proto detect            IPv4      17            49             2984          36622          8366        410.0k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            12            57312         146550         86058          1.0m  6.34  
LOGGER_UNIFIED2             IPv4       6            12            44352         220205         98323          1.2m  7.24  
LOGGER_JSON_ALERT           IPv4       6            12            81051         206485        117229          1.4m  8.64  
LOGGER_JSON_DNS             IPv4      17            32            30861        6280737        271358          8.7m  53.31 
LOGGER_JSON_HTTP            IPv4       6            12            63335         199650        136371          1.6m  10.05 
LOGGER_JSON_TLS             IPv4       6            16            38390         112291         74621          1.2m  7.33  
LOGGER_JSON_FILE            IPv4       6            11            50689         228070        104951          1.2m  7.09  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          4416             2584        1847611         18828        83.1m  17.96 
payload                           IPv4      17           170             3293          48289         11751         2.0m  0.43  
stream                            IPv4       6          4416             2523        7487678         28190       124.5m  26.90 
http_uri                          IPv4       6            12             8819          35737         18166       218.0k  0.05  
http_request_line                 IPv4       6            12             3769          24834         10204       122.5k  0.03  
http_client_body                  IPv4       6            12             2946           5753          3700        44.4k  0.01  
http_header (request)             IPv4       6            12            19016          80914         37503       450.0k  0.10  
http_header (request trailer)     IPv4       6            12             2610           3382          2754        33.1k  0.01  
http_header_names (request)       IPv4       6            12            11036          36140         18820       225.8k  0.05  
http_accept (request)             IPv4       6            12             3614           5615          4190        50.3k  0.01  
http_referer (request)            IPv4       6            12             3197           3940          3498        42.0k  0.01  
http_content_len (request)        IPv4       6            12             3135           4013          3424        41.1k  0.01  
http_content_type (request)       IPv4       6            12             3041           3959          3505        42.1k  0.01  
http_start (request)              IPv4       6            12             5828          11342          9435       113.2k  0.02  
http_raw_header (request)         IPv4       6            12             8530          28570         12119       145.4k  0.03  
http_method                       IPv4       6            12             3376           5003          4567        54.8k  0.01  
http_cookie (request)             IPv4       6            12             3068           3988          3540        42.5k  0.01  
http_raw_uri                      IPv4       6            12             4461          35059          7907        94.9k  0.02  
http_user_agent                   IPv4       6            12             3150          44058         11866       142.4k  0.03  
http_host                         IPv4       6            12             4411           9708          6645        79.7k  0.02  
dns_query                         IPv4      17            16             5844          13760          8887       142.2k  0.03  
tls_sni                           IPv4       6            16             3095          10330          7130       114.1k  0.02  
http_response_line                IPv4       6            12             4058          10326          8867       106.4k  0.02  
http_header (response)            IPv4       6           108             2651          62771          7788       841.2k  0.18  
http_header (response trailer)    IPv4       6            12             2584           3360          2834        34.0k  0.01  
http_content_type (response)      IPv4       6           108             2779           9193          3457       373.4k  0.08  
http_raw_header (response)        IPv4       6          4154             3962          83821          4484        18.6m  4.02  
http_cookie (response)            IPv4       6           108             2724          28726          3327       359.4k  0.08  
http_stat_code                    IPv4       6           108             2626          51036          3665       395.9k  0.09  
tls_cert_issuer                   IPv4       6            16             3532           9874          7059       112.9k  0.02  
tls_cert_subject                  IPv4       6            16             3290           9841          7255       116.1k  0.03  
tls_cert_serial                   IPv4       6            16             2908           7964          5561        89.0k  0.02  
file_data (http response)         IPv4       6          4154             2556        6792369         55355       229.9m  49.68 
Total                             IPv4                 18050                                         25641       462.8m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       2            11            18701          43964         24241        266.7k  0.01  
PROF_DETECT_IPONLY          IPv4       6            56             3159          59634         21371          1.2m  0.06  
PROF_DETECT_IPONLY          IPv4      17            50            18725          72633         28214          1.4m  0.07  
PROF_DETECT_RULES           IPv4       2            11             2549           3400          2681         29.5k  0.00  
PROF_DETECT_RULES           IPv4       6          8888             2529       13242054         42490        377.7m  19.03 
PROF_DETECT_RULES           IPv4      17           170            24413         250228         85591         14.6m  0.73  
PROF_DETECT_STATEFUL_START    IPv4       6          2033             5112       13203395         31062         63.2m  3.18  
PROF_DETECT_STATEFUL_CONT    IPv4       2            11             2520           3184          2694         29.6k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          8888             2523         195353         10737         95.4m  4.81  
PROF_DETECT_STATEFUL_CONT    IPv4      17           170             2521          34038          3449        586.5k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          8777             2554         118872          2785         24.4m  1.23  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            34             2614           3232          2843         96.7k  0.00  
PROF_DETECT_PREFILTER       IPv4       2            11             7858          33920         12122        133.3k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          8888             7904        7570749         78518        697.9m  35.16 
PROF_DETECT_PREFILTER       IPv4      17           170            24296         100383         36518          6.2m  0.31  
PROF_DETECT_PF_PAYLOAD      IPv4       6          4416            12832        7514552         55486        245.0m  12.35 
PROF_DETECT_PF_PAYLOAD      IPv4      17           170             8358          53638         17007          2.9m  0.15  
PROF_DETECT_PF_TX           IPv4       6          8777             2562        6808863         34689        304.5m  15.34 
PROF_DETECT_PF_TX           IPv4      17            17             2641          20699         14157        240.7k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          2653             2523          90575          3452          9.2m  0.46  
PROF_DETECT_PF_SORT1        IPv4      17           170             2739          30065          3437        584.4k  0.03  
PROF_DETECT_PF_SORT2        IPv4       2            11             2529          28475          5041         55.5k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          8888             2520        6115849          3540         31.5m  1.59  
PROF_DETECT_PF_SORT2        IPv4      17           170             2559          17802          2928        497.8k  0.03  
PROF_DETECT_NONMPMLIST      IPv4       2            11             2554           3006          2798         30.8k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          8888             2529         115694          3001         26.7m  1.34  
PROF_DETECT_NONMPMLIST      IPv4      17           170             2527          14457          3032        515.5k  0.03  
PROF_DETECT_ALERT           IPv4       2            11             2531           3271          2645         29.1k  0.00  
PROF_DETECT_ALERT           IPv4       6          8888             2525          82448          2798         24.9m  1.25  
PROF_DETECT_ALERT           IPv4      17           170             2529          21515          2894        492.1k  0.02  
PROF_DETECT_CLEANUP         IPv4       2            11             2522           2816          2593         28.5k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          8888             2560         511817          2987         26.5m  1.34  
PROF_DETECT_CLEANUP         IPv4      17           170             2523          25125          3155        536.4k  0.03  
PROF_DETECT_GETSGH          IPv4       2            11             2739           4195          2907         32.0k  0.00  
PROF_DETECT_GETSGH          IPv4       6          8888             2523          39518          2992         26.6m  1.34  
PROF_DETECT_GETSGH          IPv4      17           170             2557          35053          4686        796.8k  0.04  


suricata-4.0.0-etopen-all-perf.txt-2019-05-20-T-08-09-44-05202019.0809-2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap.txt - (45142 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 5/20/2019 -- 08:09:44. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2017552      1        6        38810850     12.74  1403     0        13216371    27662.76    0.00        27662.76   
  2        2001330      1        8        19054084     6.26   4031     0        7685370     4726.89     0.00        4726.89    
  3        2014956      1        1        9769870      3.21   284      0        6269385     34400.95    0.00        34400.95   
  4        2017748      1        6        8449560      2.77   181      0        5907841     46682.65    0.00        46682.65   
  5        2020865      1        3        20653679     6.78   147      0        476793      140501.22   0.00        140501.22  
  6        2024829      1        2        4904495      1.61   213      0        411552      23025.80    0.00        23025.80   
  7        2022797      1        2        2102686      0.69   19       0        286666      110667.68   0.00        110667.68  
  8        2016855      1        2        1224829      0.40   6        0        232244      204138.17   0.00        204138.17  
  9        2024650      1        1        5471551      1.80   353      0        212557      15500.14    0.00        15500.14   
  10       2016854      1        3        966035       0.32   6        0        190498      161005.83   0.00        161005.83  
  11       2021433      1        2        1654627      0.54   16       0        165302      103414.19   0.00        103414.19  
  12       2008575      1        5        18593301     6.11   2453     0        149888      7579.82     0.00        7579.82    
  13       2023476      1        5        1454851      0.48   16       0        140578      90928.19    0.00        90928.19   
  14       2019715      1        2        1618427      0.53   25       0        134461      64737.08    0.00        64737.08   
  15       2021434      1        2        1498385      0.49   16       0        130273      93649.06    0.00        93649.06   
  16       2021432      1        2        1571906      0.52   16       0        123309      98244.12    0.00        98244.12   
  17       2018464      1        4        1073545      0.35   70       0        119553      15336.36    0.00        15336.36   
  18       2022050      1        3        1352470      0.44   25       1        115256      54098.80    34220.00    54927.08   
  19       2018982      1        2        1442406      0.47   25       0        114982      57696.24    0.00        57696.24   
  20       2016537      1        2        20795425     6.83   1395     4        111386      14907.11    68805.00    14752.12   
  21       2021586      1        3        1514805      0.50   16       0        111341      94675.31    0.00        94675.31   
  22       2022552      1        2        3956345      1.30   191      0        107144      20713.85    0.00        20713.85   
  23       2019707      1        2        326401       0.11   5        0        102070      65280.20    0.00        65280.20   
  24       2023818      1        2        150536       0.05   2        2        102059      75268.00    75268.00    0.00       
  25       2020569      1        1        1318533      0.43   25       0        100360      52741.32    0.00        52741.32   
  26       2008309      1        3        1685819      0.55   552      0        97292       3054.02     0.00        3054.02    
  27       2014958      1        1        3396559      1.12   284      0        93478       11959.71    0.00        11959.71   
  28       2008276      1        15       126064       0.04   2        2        88005       63032.00    63032.00    0.00       
  29       2022220      1        2        86679        0.03   1        1        86679       86679.00    86679.00    0.00       
  30       2023671      1        4        1146060      0.38   70       0        85972       16372.29    0.00        16372.29   
  31       2022054      1        3        85788        0.03   1        1        85788       85788.00    85788.00    0.00       
  32       2022901      1        2        83152        0.03   1        0        83152       83152.00    0.00        83152.00   
  33       2019165      1        3        1039732      0.34   70       0        81730       14853.31    0.00        14853.31   
  34       2024909      1        2        3400115      1.12   163      0        80542       20859.60    0.00        20859.60   
  35       2018959      1        3        2101364      0.69   70       3        78788       30019.49    57725.33    28778.93   
  36       2022049      1        3        77722        0.03   1        1        77722       77722.00    77722.00    0.00       
  37       2022543      1        1        351876       0.12   17       0        77096       20698.59    0.00        20698.59   
  38       2016141      1        5        140529       0.05   2        2        76971       70264.50    70264.50    0.00       
  39       2020573      1        2        111206       0.04   2        2        76619       55603.00    55603.00    0.00       
  40       2009897      1        14       903007       0.30   25       0        76000       36120.28    0.00        36120.28   
  41       2024771      1        1        19215525     6.31   4151     0        74453       4629.13     0.00        4629.13    
  42       2023711      1        2        1170448      0.38   70       0        73729       16720.69    0.00        16720.69   
  43       2018373      1        3        684767       0.22   197      0        72630       3475.97     0.00        3475.97    
  44       2020302      1        6        71953        0.02   1        0        71953       71953.00    0.00        71953.00   
  45       2012969      1        2        70456        0.02   1        0        70456       70456.00    0.00        70456.00   
  46       2018789      1        3        169719       0.06   18       0        69157       9428.83     0.00        9428.83    
  47       2018241      1        2        1335812      0.44   70       0        68295       19083.03    0.00        19083.03   
  48       2020963      1        2        67833        0.02   1        0        67833       67833.00    0.00        67833.00   
  49       2023623      1        3        366254       0.12   111      0        66712       3299.59     0.00        3299.59    
  50       2018005      1        6        811149       0.27   16       0        65678       50696.81    0.00        50696.81   
  51       2013441      1        9        861880       0.28   25       0        65478       34475.20    0.00        34475.20   
  52       2022627      1        12       769116       0.25   16       0        64945       48069.75    0.00        48069.75   
  53       2009909      1        10       883887       0.29   25       0        63028       35355.48    0.00        35355.48   
  54       2016143      1        3        3351950      1.10   224      0        62972       14964.06    0.00        14964.06   
  55       2023670      1        3        62667        0.02   1        1        62667       62667.00    62667.00    0.00       
  56       2014353      1        6        1714620      0.56   70       0        62663       24494.57    0.00        24494.57   
  57       2014819      1        3        330358       0.11   6        0        62174       55059.67    0.00        55059.67   
  58       2022535      1        11       796836       0.26   16       0        61988       49802.25    0.00        49802.25   
  59       2023679      1        3        1051293      0.35   70       0        61469       15018.47    0.00        15018.47   
  60       2021381      1        7        58900        0.02   1        1        58900       58900.00    58900.00    0.00       
  61       2017190      1        6        107035       0.04   2        0        58348       53517.50    0.00        53517.50   
  62       2021067      1        2        152926       0.05   3        3        58305       50975.33    50975.33    0.00       
  63       2017598      1        10       102632       0.03   2        0        56228       51316.00    0.00        51316.00   
  64       2015744      1        4        61311        0.02   3        1        56093       20437.00    56093.00    2609.00    
  65       2021073      1        2        92203        0.03   2        2        56032       46101.50    46101.50    0.00       
  66       2022658      1        4        87739        0.03   2        0        55591       43869.50    0.00        43869.50   
  67       2023315      1        2        54881        0.02   1        0        54881       54881.00    0.00        54881.00   
  68       2014519      1        7        722751       0.24   166      0        54505       4353.92     0.00        4353.92    
  69       2022339      1        2        53720        0.02   1        0        53720       53720.00    0.00        53720.00   
  70       2019094      1        5        53140        0.02   1        0        53140       53140.00    0.00        53140.00   
  71       2009387      1        4        1645015      0.54   521      0        50825       3157.42     0.00        3157.42    
  72       2020661      1        3        2153684      0.71   347      0        50685       6206.58     0.00        6206.58    
  73       2018403      1        10       99376        0.03   2        0        50238       49688.00    0.00        49688.00   
  74       2018260      1        4        87538        0.03   2        0        50127       43769.00    0.00        43769.00   
  75       2012981      1        5        396974       0.13   12       0        50106       33081.17    0.00        33081.17   
  76       2022830      1        2        86236        0.03   2        0        49532       43118.00    0.00        43118.00   
  77       2014442      1        6        49409        0.02   1        0        49409       49409.00    0.00        49409.00   
  78       2021068      1        2        48876        0.02   1        1        48876       48876.00    48876.00    0.00       
  79       2022482      1        3        82847        0.03   2        0        48720       41423.50    0.00        41423.50   
  80       2010067      1        10       48664        0.02   1        0        48664       48664.00    0.00        48664.00   
  81       2019345      1        2        5816846      1.91   397      0        48241       14652.01    0.00        14652.01   
  82       2023672      1        4        1028536      0.34   70       1        48239       14693.37    48239.00    14207.20   
  83       2020297      1        2        478807       0.16   30       0        47773       15960.23    0.00        15960.23   
  84       2013352      1        4        1374660      0.45   70       0        47608       19638.00    0.00        19638.00   
  85       2008438      1        20       1089215      0.36   25       0        46633       43568.60    0.00        43568.60   
  86       2016112      1        3        2178749      0.72   145      0        46052       15025.86    0.00        15025.86   
  87       2021413      1        2        45472        0.01   1        0        45472       45472.00    0.00        45472.00   
  88       2022896      1        5        90648        0.03   2        0        45402       45324.00    0.00        45324.00   
  89       2020960      1        2        71765        0.02   2        0        44734       35882.50    0.00        35882.50   
  90       2018958      1        18       44401        0.01   1        0        44401       44401.00    0.00        44401.00   
  91       2018452      1        15       44145        0.01   1        0        44145       44145.00    0.00        44145.00   
  92       2024767      1        2        43510        0.01   1        0        43510       43510.00    0.00        43510.00   
  93       2013036      1        7        176074       0.06   6        0        43062       29345.67    0.00        29345.67   
  94       2009028      1        11       1348508      0.44   70       0        42769       19264.40    0.00        19264.40   
  95       2020991      1        2        77654        0.03   2        0        42682       38827.00    0.00        38827.00   
  96       2016502      1        2        1939796      0.64   136      0        42470       14263.21    0.00        14263.21   
  97       2021718      1        4        42364        0.01   1        0        42364       42364.00    0.00        42364.00   
  98       2020421      1        2        1021100      0.34   70       0        42253       14587.14    0.00        14587.14   
  99       2020295      1        6        71226        0.02   2        0        41832       35613.00    0.00        35613.00   
  100      2022502      1        4        130241       0.04   5        0        41562       26048.20    0.00        26048.20   
  101      2018581      1        3        70306        0.02   2        0        39928       35153.00    0.00        35153.00   
  102      2016948      1        2        2890678      0.95   202      0        39682       14310.29    0.00        14310.29   
  103      2021418      1        9        39414        0.01   1        0        39414       39414.00    0.00        39414.00   
  104      2014471      1        6        191858       0.06   6        0        38976       31976.33    0.00        31976.33   
  105      2021607      1        6        74676        0.02   2        0        38855       37338.00    0.00        37338.00   
  106      2018375      1        3        2486747      0.82   197      0        38630       12623.08    0.00        12623.08   
  107      2022132      1        1        2269179      0.75   628      0        38523       3613.34     0.00        3613.34    
  108      2022051      1        2        971034       0.32   70       1        38457       13871.91    38457.00    13515.61   
  109      2020941      1        2        73325        0.02   2        0        38388       36662.50    0.00        36662.50   
  110      2008420      1        4        111776       0.04   24       0        38197       4657.33     0.00        4657.33    
  111      2017119      1        4        38140        0.01   1        0        38140       38140.00    0.00        38140.00   
  112      2021076      1        2        396436       0.13   70       6        38081       5663.37     36041.17    2815.45    
  113      2021245      1        6        65819        0.02   2        0        37775       32909.50    0.00        32909.50   
  114      2019881      1        3        37767        0.01   1        0        37767       37767.00    0.00        37767.00   
  115      2020826      1        7        74440        0.02   2        0        37639       37220.00    0.00        37220.00   
  116      2022053      1        2        1011958      0.33   70       1        37637       14456.54    36700.00    14134.17   
  117      2016538      1        3        536995       0.18   70       3        37604       7671.36     35977.00    6403.94    
  118      2012612      1        16       205193       0.07   8        0        37591       25649.12    0.00        25649.12   
  119      2025064      1        5        37551        0.01   1        0        37551       37551.00    0.00        37551.00   
  120      2023083      1        2        37291        0.01   1        0        37291       37291.00    0.00        37291.00   
  121      2010140      1        7        552490       0.18   152      0        37130       3634.80     0.00        3634.80    
  122      2018358      1        7        36802        0.01   1        0        36802       36802.00    0.00        36802.00   
  123      2023875      1        2        36765        0.01   1        0        36765       36765.00    0.00        36765.00   
  124      2008297      1        5        2145632      0.70   773      0        36597       2775.72     0.00        2775.72    
  125      2016029      1        3        7

This file has been truncated. Go here to download in full.


suricata-report-2019-05-20-T-08-09-44-05202019.0809-2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap.txt - (18211 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/c357afa0377d79ac7960d0f4c9dce2d7d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/05202019.0809-2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap -vvv -k none
elapsedtime:10.356798
stderr:
stdout:
20/5/2019 -- 08:09:33 - <Info> - Configuration node 'rule-files' redefined.
20/5/2019 -- 08:09:33 - <Notice> - This is Suricata version 4.0.0 RELEASE
20/5/2019 -- 08:09:33 - <Info> - CPUs/cores online: 1
20/5/2019 -- 08:09:33 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32520 and 'request-body-inspect-window' set to 15930 after randomization.
20/5/2019 -- 08:09:33 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31341 and 'response-body-inspect-window' set to 15650 after randomization.
20/5/2019 -- 08:09:33 - <Config> - DNS request flood protection level: 500
20/5/2019 -- 08:09:33 - <Config> - DNS per flow memcap (state-memcap): 524288
20/5/2019 -- 08:09:33 - <Config> - DNS global memcap: 16777216
20/5/2019 -- 08:09:33 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
20/5/2019 -- 08:09:33 - <Config> - preallocated 1000 hosts of size 136
20/5/2019 -- 08:09:33 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
20/5/2019 -- 08:09:33 - <Config> - using magic-file /usr/share/file/magic
20/5/2019 -- 08:09:33 - <Config> - Core dump size is unlimited.
20/5/2019 -- 08:09:33 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
20/5/2019 -- 08:09:33 - <Config> - preallocated 1000 defrag trackers of size 168
20/5/2019 -- 08:09:33 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
20/5/2019 -- 08:09:33 - <Config> - stream "prealloc-sessions": 2048 (per thread)
20/5/2019 -- 08:09:33 - <Config> - stream "memcap": 33554432
20/5/2019 -- 08:09:33 - <Config> - stream "midstream" session pickups: disabled
20/5/2019 -- 08:09:33 - <Config> - stream "async-oneside": disabled
20/5/2019 -- 08:09:33 - <Config> - stream "checksum-validation": disabled
20/5/2019 -- 08:09:33 - <Config> - stream."inline": disabled
20/5/2019 -- 08:09:33 - <Config> - stream "bypass": disabled
20/5/2019 -- 08:09:33 - <Config> - stream "max-synack-queued": 5
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly "memcap": 134217728
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly "depth": 0
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly "toserver-chunk-size": 2500
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly "toclient-chunk-size": 2504
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly.raw: enabled
20/5/2019 -- 08:09:33 - <Config> - stream.reassembly "segment-prealloc": 2048
20/5/2019 -- 08:09:33 - <Config> - Delayed detect disabled
20/5/2019 -- 08:09:33 - <Config> - pattern matchers: MPM: ac, SPM: bm
20/5/2019 -- 08:09:33 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
20/5/2019 -- 08:09:33 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
20/5/2019 -- 08:09:33 - <Config> - prefilter engines: MPM
20/5/2019 -- 08:09:33 - <Config> - IP reputation disabled
20/5/2019 -- 08:09:33 - <Perf> - Registered 148 keyword profiling counters.
20/5/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
20/5/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
20/5/2019 -- 08:09:33 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
20/5/2019 -- 08:09:35 - <Config> - No rules loaded from ET-emerging-icmp.rules.
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
20/5/2019 -- 08:09:35 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
20/5/2019 -- 08:09:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
20/5/2019 -- 08:09:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
20/5/2019 -- 08:09:36 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
20/5/2019 -- 08:09:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
20/5/2019 -- 08:09:37 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
20/5/2019 -- 08:09:38 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
20/5/2019 -- 08:09:38 - <Config> - No rules loaded from local.rules.
20/5/2019 -- 08:09:38 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
20/5/2019 -- 08:09:38 - <Info> - Threshold config parsed: 0 rule(s) found
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tcp-packet
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tcp-stream
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for udp-packet
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for other-ip
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_uri
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_request_line
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_client_body
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_response_line
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_header
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_header
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_header_names
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_header_names
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_accept
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_accept_enc
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_accept_lang
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_referer
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_connection
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_content_len
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_content_len
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_content_type
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_content_type
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_protocol
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_protocol
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_start
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_start
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_raw_header
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_raw_header
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_method
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_cookie
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_cookie
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_raw_uri
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_user_agent
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_host
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_raw_host
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_stat_msg
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_stat_code
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for dns_query
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tls_sni
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tls_cert_issuer
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tls_cert_subject
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for tls_cert_serial
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for dce_stub_data
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for dce_stub_data
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for ssh_protocol
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for ssh_protocol
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for ssh_software
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for ssh_software
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for file_data
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for file_data
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_request_line
20/5/2019 -- 08:09:38 - <Perf> - using shared mpm ctx' for http_response_line
20/5/2019 -- 08:09:38 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
20/5/2019 -- 08:09:38 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
20/5/2019 -- 08:09:38 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
20/5/2019 -- 08:09:38 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
20/5/2019 -- 08:09:38 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
20/5/2019 -- 08:09:38 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
20/5/2019 -- 08:09:38 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
20/5/2019 -- 08:09:38 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
20/5/2019 -- 08:09:41 - <Perf> - Unique rule groups: 111
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toserver TCP packet": 31
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toclient TCP packet": 20
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toserver TCP stream": 31
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toclient TCP stream": 21
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toserver UDP packet": 33
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "toclient UDP packet": 15
20/5/2019 -- 08:09:41 - <Perf> - Builtin MPM "other IP packet": 2
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_uri": 8
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_request_line": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_client_body": 6
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_response_line": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_header": 6
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_header": 3
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_header_names": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_accept": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_referer": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_content_len": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_content_type": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_content_type": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_start": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_method": 3
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_cookie": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_cookie": 2
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver http_host": 2
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver dns_query": 4
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver tls_sni": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toserver file_data": 1
20/5/2019 -- 08:09:41 - <Perf> - AppLayer MPM "toclient file_data": 5
20/5/2019 -- 08:09:41 - <Perf> - Registered 18241 rule profiling counters.
20/5/2019 -- 08:09:41 - <Info> - fast output device (regular) initialized: alert
20/5/2019 -- 08:09:41 - <Info> - eve-log output device (regular) initialized: eve.json
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'alert'
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'http'
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'dns'
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'tls'
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'files'
20/5/2019 -- 08:09:41 - <Config> - enabling 'eve-log' module 'ssh'
20/5/2019 -- 08:09:41 - <Info> - Unified2-alert initialized: filen

This file has been truncated. Go here to download in full.


stats.log - (3384 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 5/20/2019 -- 08:09:44 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 9044
decoder.bytes                              | Total                     | 8589252
decoder.ipv4                               | Total                     | 9044
decoder.ethernet                           | Total                     | 9044
decoder.tcp                                | Total                     | 8863
decoder.udp                                | Total                     | 170
decoder.avg_pkt_size                       | Total                     | 949
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 28
flow.udp                                   | Total                     | 32
tcp.sessions                               | Total                     | 28
tcp.syn                                    | Total                     | 28
tcp.synack                                 | Total                     | 27
tcp.rst                                    | Total                     | 25
detect.alert                               | Total                     | 21
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 1
detect.match_list                          | Total                     | 2
app_layer.flow.http                        | Total                     | 11
app_layer.tx.http                          | Total                     | 12
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 16
app_layer.tx.dns_udp                       | Total                     | 16
app_layer.flow.failed_udp                  | Total                     | 16
flow_mgr.closed_pruned                     | Total                     | 4
flow_mgr.new_pruned                        | Total                     | 14
flow_mgr.est_pruned                        | Total                     | 17
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 48
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.flows_timeout                     | Total                     | 45
flow_mgr.flows_timeout_inuse               | Total                     | 22
flow_mgr.flows_removed                     | Total                     | 23
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65488
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7088128


eve.json - (43498 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{"timestamp":"2019-05-10T19:59:49.621676+0000","flow_id":1974120920480876,"pcap_cnt":20,"event_type":"dns","src_ip":"10.5.10.102","src_port":53777,"dest_ip":"10.5.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48906,"rrname":"www.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-05-10T19:59:50.035290+0000","flow_id":1823719755778522,"pcap_cnt":21,"event_type":"dns","src_ip":"10.5.10.102","src_port":54977,"dest_ip":"10.5.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21732,"rrname":"dns.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-05-10T19:59:50.060961+0000","flow_id":1823719755778522,"pcap_cnt":22,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54977,"proto":"UDP","dns":{"type":"answer","id":21732,"rcode":"NOERROR","rrname":"dns.msftncsi.com","rrtype":"A","ttl":5,"rdata":"131.107.255.255"}}
{"timestamp":"2019-05-10T19:59:50.654887+0000","flow_id":1974120920480876,"pcap_cnt":24,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":53777,"proto":"UDP","dns":{"type":"answer","id":48906,"rcode":"NOERROR","rrname":"www.msftncsi.com","rrtype":"CNAME","ttl":5,"rdata":"www.msftncsi.com.edgesuite.net"}}
{"timestamp":"2019-05-10T19:59:50.654887+0000","flow_id":1974120920480876,"pcap_cnt":24,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":53777,"proto":"UDP","dns":{"type":"answer","id":48906,"rcode":"NOERROR","rrname":"www.msftncsi.com.edgesuite.net","rrtype":"CNAME","ttl":5,"rdata":"a1961.g2.akamai.net"}}
{"timestamp":"2019-05-10T19:59:50.654887+0000","flow_id":1974120920480876,"pcap_cnt":24,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":53777,"proto":"UDP","dns":{"type":"answer","id":48906,"rcode":"NOERROR","rrname":"a1961.g2.akamai.net","rrtype":"A","ttl":5,"rdata":"23.63.254.163"}}
{"timestamp":"2019-05-10T19:59:50.654887+0000","flow_id":1974120920480876,"pcap_cnt":24,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":53777,"proto":"UDP","dns":{"type":"answer","id":48906,"rcode":"NOERROR","rrname":"a1961.g2.akamai.net","rrtype":"A","ttl":5,"rdata":"23.63.254.176"}}
{"timestamp":"2019-05-10T19:59:50.654887+0000","flow_id":1974120920480876,"pcap_cnt":24,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":53777,"proto":"UDP","dns":{"type":"answer","id":48906,"rcode":"NOERROR","rrname":"a1961.g2.akamai.net","rrtype":"A","ttl":5,"rdata":"23.63.254.144"}}
{"timestamp":"2019-05-10T19:59:50.703910+0000","flow_id":773003251419811,"pcap_cnt":31,"event_type":"http","src_ip":"10.5.10.102","src_port":49157,"dest_ip":"23.63.254.163","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.msftncsi.com","url":"\/ncsi.txt","http_user_agent":"Microsoft NCSI","http_content_type":"text\/plain"}}
{"timestamp":"2019-05-10T19:59:50.704178+0000","flow_id":773003251419811,"pcap_cnt":33,"event_type":"fileinfo","src_ip":"23.63.254.163","src_port":80,"dest_ip":"10.5.10.102","dest_port":49157,"proto":"TCP","http":{"hostname":"www.msftncsi.com","url":"\/ncsi.txt","http_user_agent":"Microsoft NCSI","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":14},"app_proto":"http","fileinfo":{"filename":"\/ncsi.txt","gaps":false,"state":"CLOSED","stored":false,"size":14,"tx_id":0}}
{"timestamp":"2019-05-10T20:01:20.750767+0000","flow_id":1703340418315636,"pcap_cnt":48,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2022050,"rev":3,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-05-10T20:01:20.871214+0000","flow_id":1703340418315636,"pcap_cnt":84,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-05-10T20:01:20.871214+0000","flow_id":1703340418315636,"pcap_cnt":84,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022051,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-05-10T20:01:20.871214+0000","flow_id":1703340418315636,"pcap_cnt":84,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-05-10T20:01:20.871214+0000","flow_id":1703340418315636,"pcap_cnt":84,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023672,"rev":4,"signature":"ET TROJAN JS\/WSF Downloader Dec 08 2016 M4","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-05-10T20:01:20.871214+0000","flow_id":1703340418315636,"pcap_cnt":84,"event_type":"alert","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021076,"rev":2,"signature":"ET INFO SUSPICIOUS Dotted Quad Host MZ Response","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-05-10T20:01:21.257204+0000","flow_id":1703340418315636,"pcap_cnt":316,"event_type":"http","src_ip":"10.5.10.102","src_port":49158,"dest_ip":"209.141.34.8","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"209.141.34.8","url":"\/amsi.jpg","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"image\/jpeg"}}
{"timestamp":"2019-05-10T20:01:26.257117+0000","flow_id":1703340418315636,"pcap_cnt":317,"event_type":"fileinfo","src_ip":"209.141.34.8","src_port":80,"dest_ip":"10.5.10.102","dest_port":49158,"proto":"TCP","http":{"hostname":"209.141.34.8","url":"\/amsi.jpg","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"image\/jpeg","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237701},"app_proto":"http","fileinfo":{"filename":"\/amsi.jpg","gaps":false,"state":"CLOSED","stored":false,"size":237701,"tx_id":0}}
{"timestamp":"2019-05-10T20:02:36.353100+0000","flow_id":1109290611663692,"pcap_cnt":322,"event_type":"dns","src_ip":"10.5.10.102","src_port":55971,"dest_ip":"10.5.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56921,"rrname":"time.windows.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-05-10T20:02:36.385939+0000","flow_id":1109290611663692,"pcap_cnt":323,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":55971,"proto":"UDP","dns":{"type":"answer","id":56921,"rcode":"NOERROR","rrname":"time.windows.com","rrtype":"CNAME","ttl":5,"rdata":"time.microsoft.akadns.net"}}
{"timestamp":"2019-05-10T20:02:36.385939+0000","flow_id":1109290611663692,"pcap_cnt":323,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":55971,"proto":"UDP","dns":{"type":"answer","id":56921,"rcode":"NOERROR","rrname":"time.microsoft.akadns.net","rrtype":"A","ttl":5,"rdata":"52.173.193.166"}}
{"timestamp":"2019-05-10T20:06:36.159174+0000","flow_id":1037727882309062,"pcap_cnt":335,"event_type":"dns","src_ip":"10.5.10.102","src_port":63879,"dest_ip":"10.5.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8201,"rrname":"forsynanchyv.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-05-10T20:06:36.545477+0000","flow_id":1037727882309062,"pcap_cnt":336,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":63879,"proto":"UDP","dns":{"type":"answer","id":8201,"rcode":"NOERROR","rrname":"forsynanchyv.com","rrtype":"A","ttl":5,"rdata":"109.248.222.237"}}
{"timestamp":"2019-05-10T20:06:37.418565+0000","flow_id":1218717804160272,"pcap_cnt":343,"event_type":"tls","src_ip":"10.5.10.102","src_port":49159,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:38.109240+0000","flow_id":2231183329897144,"pcap_cnt":347,"event_type":"dns","src_ip":"10.5.10.102","src_port":54140,"dest_ip":"10.5.10.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56325,"rrname":"ctldl.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-05-10T20:06:38.136417+0000","flow_id":2231183329897144,"pcap_cnt":348,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54140,"proto":"UDP","dns":{"type":"answer","id":56325,"rcode":"NOERROR","rrname":"ctldl.windowsupdate.com","rrtype":"CNAME","ttl":5,"rdata":"audownload.windowsupdate.nsatc.net"}}
{"timestamp":"2019-05-10T20:06:38.136417+0000","flow_id":2231183329897144,"pcap_cnt":348,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54140,"proto":"UDP","dns":{"type":"answer","id":56325,"rcode":"NOERROR","rrname":"audownload.windowsupdate.nsatc.net","rrtype":"CNAME","ttl":5,"rdata":"au.download.windowsupdate.com.hwcdn.net"}}
{"timestamp":"2019-05-10T20:06:38.136417+0000","flow_id":2231183329897144,"pcap_cnt":348,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54140,"proto":"UDP","dns":{"type":"answer","id":56325,"rcode":"NOERROR","rrname":"au.download.windowsupdate.com.hwcdn.net","rrtype":"CNAME","ttl":5,"rdata":"cds.d2s7q6s2.hwcdn.net"}}
{"timestamp":"2019-05-10T20:06:38.136417+0000","flow_id":2231183329897144,"pcap_cnt":348,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54140,"proto":"UDP","dns":{"type":"answer","id":56325,"rcode":"NOERROR","rrname":"cds.d2s7q6s2.hwcdn.net","rrtype":"A","ttl":5,"rdata":"205.185.216.10"}}
{"timestamp":"2019-05-10T20:06:38.136417+0000","flow_id":2231183329897144,"pcap_cnt":348,"event_type":"dns","src_ip":"10.5.10.1","src_port":53,"dest_ip":"10.5.10.102","dest_port":54140,"proto":"UDP","dns":{"type":"answer","id":56325,"rcode":"NOERROR","rrname":"cds.d2s7q6s2.hwcdn.net","rrtype":"A","ttl":5,"rdata":"205.185.216.42"}}
{"timestamp":"2019-05-10T20:06:38.216622+0000","flow_id":1250526332066892,"pcap_cnt":421,"event_type":"http","src_ip":"10.5.10.102","src_port":49160,"dest_ip":"205.185.216.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ctldl.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/authrootstl.cab?9fae526a0a0ca3c1","http_user_agent":"Microsoft-CryptoAPI\/6.1","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2019-05-10T20:06:39.637915+0000","flow_id":2020025557806396,"pcap_cnt":486,"event_type":"alert","src_ip":"10.5.10.102","src_port":49161,"dest_ip":"77.244.214.218","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016141,"rev":5,"signature":"ET INFO Executable Download from dotted-quad Host","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-05-10T20:06:39.826341+0000","flow_id":2020025557806396,"pcap_cnt":520,"event_type":"alert","src_ip":"77.244.214.218","src_port":80,"dest_ip":"10.5.10.102","dest_port":49161,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-05-10T20:06:39.826341+0000","flow_id":2020025557806396,"pcap_cnt":520,"event_type":"alert","src_ip":"77.244.214.218","src_port":80,"dest_ip":"10.5.10.102","dest_port":49161,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-05-10T20:06:39.826341+0000","flow_id":2020025557806396,"pcap_cnt":520,"event_type":"alert","src_ip":"77.244.214.218","src_port":80,"dest_ip":"10.5.10.102","dest_port":49161,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021076,"rev":2,"signature":"ET INFO SUSPICIOUS Dotted Quad Host MZ Response","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-05-10T20:06:40.002207+0000","flow_id":2120948699330444,"pcap_cnt":557,"event_type":"tls","src_ip":"10.5.10.102","src_port":49162,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.039235+0000","flow_id":2116112566160580,"pcap_cnt":611,"event_type":"tls","src_ip":"10.5.10.102","src_port":49167,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.055029+0000","flow_id":219304684390628,"pcap_cnt":614,"event_type":"tls","src_ip":"10.5.10.102","src_port":49166,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.080755+0000","flow_id":1661284119449015,"pcap_cnt":616,"event_type":"tls","src_ip":"10.5.10.102","src_port":49168,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.081618+0000","flow_id":486717938172704,"pcap_cnt":619,"event_type":"tls","src_ip":"10.5.10.102","src_port":49165,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.081732+0000","flow_id":1981310722605200,"pcap_cnt":621,"event_type":"tls","src_ip":"10.5.10.102","src_port":49164,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.085875+0000","flow_id":18111236373789,"pcap_cnt":623,"event_type":"tls","src_ip":"10.5.10.102","src_port":49163,"dest_ip":"109.248.222.237","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space","issuerdn":"C=US, ST=KY, O=icing's reappointed, OU=differentiates skateboarded, CN=catapult.space"}}
{"timestamp":"2019-05-10T20:06:40.226004+0000","flow_id":

This file has been truncated. Go here to download in full.


keyword_perf.log - (18060 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 5/20/2019 -- 08:09:44
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            3198            1               1               3198            3198.00         3198.00         0.00           
  flow             22983568        7566            7566            100618          3037.00         3037.00         0.00           
  threshold        35000           3               2               18822           11666.00        13095.00        8810.00        
  content          58175556        6227            1222            6246501         9342.00         12710.00        8520.00        
  pcre             1755927         240             121             60672           7316.00         6249.00         8401.00        
  byte_test        600385          187             109             11728           3210.00         3475.00         2840.00        
  byte_jump        573424          173             87              42941           3314.00         3136.00         3494.00        
  isdataat         65917           23              6               3660            2865.00         2900.00         2853.00        
  flowbits         16598666        3709            428             5894687         4475.00         2900.00         4680.00        
  urilen           200031          55              16              17821           3636.00         4457.00         3300.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            3198            1               1               3198            3198.00         3198.00         0.00           
  flow             22983568        7566            7566            100618          3037.00         3037.00         0.00           
  flowbits         16490436        3687            406             5894687         4472.00         2790.00         4680.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27664178        3393            690             6246501         8153.00         4300.00         9136.00        
  pcre             796164          163             97              60672           4884.00         4229.00         5847.00        
  byte_test        600385          187             109             11728           3210.00         3475.00         2840.00        
  byte_jump        399297          129             62              5089            3095.00         3180.00         3016.00        
  isdataat         65917           23              6               3660            2865.00         2900.00         2853.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         108230          22              22              9263            4919.00         4919.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        35000           3               2               18822           11666.00        13095.00        8810.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          537743          128             86              45139           4201.00         4418.00         3755.00        
  pcre             536887          52              9               43509           10324.00        11644.00        10048.00       
  urilen           200031          55              16              17821           3636.00         4457.00         3300.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_request_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13960           4               4               4603            3490.00         3490.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35500           11              0               3467            3227.00         0.00            3227.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          28905409        2444            286             301455          11827.00        40269.00        8057.00        
  pcre             32870           1               0               32870           32870.00        0.00            32870.00       
  byte_jump        174127          44              25              42941           3957.00         3029.00         5177.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          569511          136             91              23153           4187.00         4345.00         3867.00        
  pcre             329853          16              12              59114           20615.00        18982.00        25515.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          169371          37              19              17381           4577.00         3866.00         5327.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3345            1               1               3345            3345.00         3345.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3104            1               1               3104            3104.00         3104.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6713            2               0               3402            3356.00         0.00            3356.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6592            2               1               3512            3296.00         3512.00         3080.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3055            1               1               3055            3055.00         3055.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12697           3               0               4334            4232.00         0.00            4232.00        
  pcre             33236           3               0               21799           11078.00        0.00            11078.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          62338           19              12              3837            3280.00         3379.00         3112.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          98170           26              14              4861            3775.00         4231.00         3243.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- ---

This file has been truncated. Go here to download in full.


unified2.alert.1558339781 - (77194 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
4\Õؐt¯Ú¢э"

fPÀN\Õؐ\Õؐt¯2E$­Ôэ"

fPÀPHTTP/1.1 200 OK
Date: Fri, 10 May 2019 19:59:11 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 09 May 2019 21:33:22 GMT
ETag: "3a085-5887b3306ec80"
Accept-Ranges: bytes
Content-Length: 237701
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/jpeg

MZÿÿ¸@غ´	Í!¸LÍ!This program cannot be run in DOS mode.

$­±(éÐFÒéÐFÒéÐFÒ*ßÒëÐFÒéÐGÒvÐFÒ*ßÒæÐFÒ½óvÒãÐFÒ.Ö@ÒèÐFÒRichéÐFÒPEL \àbÐ(3€@p@…0„  A€˜.textw`b `.rdataP€f@@.data8¨ z@À.ndataÐP€À.rsrcA B~@@\Õؐ\Õؐt¯êEÜ­э"

fPÀP£¨U‹ìƒì\ƒ}t+ƒ}F‹Eu
ƒH‹
(GB‰HPÿuÿuÿuÿ‚@éBSV‹54GBE¤WPÿuÿ‚@ƒeô‰EEäPÿuÿ‚@‹}ðƒeð‹\€@逶FR¶VV¯Uè‹Ï+Mè¯Á‰M™÷ÿ3Ҋð¶FQ¯Á¶NU¯MèÁ‹Ê™÷ÿ¶VT¯UèŠÈ¶FP¯E™÷ÿÁá¶ÀȍEôP‰Møÿd€@ƒEð‰EPEäPÿuÿ‚@ÿuÿӃEè9}èŒwÿÿÿƒ~Xÿteÿv4ÿT€@…À‰EtU‹}jWÇEäÇEèÿP€@ÿvXWÿX€@ÿu‹5L€@Wÿ։EEäh Pjÿh ?BWÿ‚@ÿuWÿÖÿuÿӍE¤Pÿuÿl‚@_^3À[É‹L$¡hGB‹ÑSiÒVW‹TöÂtOq3ÿ;5lGBsB‹ÎiɍD‹öÁtGëöÁt	‹ÏO…Ét ëöÁu‹Ù3ڃã3ىF;5lGBrÊ_^[ÂU‹ìQQ‹USV‹òiö‹hGB3ÉóW‰Mü‰Mø‹F¨t9Mt$¾B‰F;lGBsD‹ÂiÀ|B‹öÁt
jRè¥ÿÿÿ‹öÁu(öÁ@tÿEüöÁtÿEüëÿEø;lGB‹Ðr¼3À_^[Ƀ}ütóƒ}øtƒN@ëç‹N€áƒÉ‰NëًL$¡hGBV3öƒù s495lGBv,PW‹¨u3ÿGÓç…zütë$þ‰FÂ;5lGBrÙ_^ÂU‹ìƒì¡4GBƒeüSV”W‹=lGB‰Eø‹Eø3Û9tK;ßsE‹5hGBƒÆ‹öÂu(‹E…Àtƒ<˜t‹Mü3À@ƒâÓà‹Nü#ȋÁ‹MüÓâ;ÂuCÆ;ßrÆ;ßt
ÿEüƒEøƒ}ü rŸ‹Eü_^[É‹D$…À}@¹PBÁà
+ÈQèÅLÂV‹t$ëj‹Æ‹
pGBkÀÁƒ8t\PèŒ=ÿÿÿtUPè¸ÿÿÿ…Àu@FëH‹Î‹ð+Áƒ|$t/?Bjÿ5ô>Bh0uÿ5?BÿH@Phÿt$ÿ‚@…ö}’3À^¸ÿÿÿëõ‹D$‹
4GBjÿtlèiÿÿÿÂh¨@ÿt$èÊ=ÂU‹ììÈ¡(GBSV‹uWjY}ԉEø3Ûó¥‹E؋U܋ð‹úÁæ
¹PB‰]üÁç
ñùM؉
<¸@‹MԃÁþƒùA‡Îÿ$i)@SPèd=éKÿì>B9]ø„<Sÿȁ@é0Pè°þÿÿHSPèÄþÿÿé˜SPè*=éSè̓øY‰UÄ3À@PÿŒ€@écÿuøÿL‚@éUÁà9]àu&‹ˆÀGBj‰ˆHBèŒY‰UċM؉ÀGBé'‹ˆHB‰ˆÀGBé‹Eà4…ÀGB3À‹;Ë”À#Mä‹D…؉éÿ4•ÀGBV鐋
ð>B‹5x‚@;ËtRQÿ֋E؋
?B;Ë–\Õؐ\Õؐt¯zEl®ŒÑ"

fPÀPT7„ÃPQÿÖéºjðè'ÿuÜPÿø€@…À…¡éajðè	‹øWè;E‹ð;ótTj\Vè¿D‹ðŠˆ:ÈEu9]àtèlA…ÀtWèÈ@ëWè=A;Ãt=·uWÿü€@¨uÿEüŠEˆF:Ãu¬9]Üt)jæèóýÿÿWh¨Bè™JWÿ´€@…À…
ÿEüéjõéäSèlPèrMéjÐèZjߋðèQj‹øèHWVÿ@…Àtjãé§9]à„}Vè2M…À„oWVèÿGjäé‚Sè
‹ðEPWhVÿ@…Àt#‹E;Æv%8t!VèîL;ÃtƒÀ,PÿuèÛIë	ÇEüˆ9]à…JhWWÿ@é8jÿ襍MQVhSPSÿ@…À…éªjïè~PVèHEéUþÿÿj1èk‹ð‹E؃àV‰uø‰EèeCV¾¤@…ÀtVèPIëh¨BVèCIPèÕBPèSIVè›K¿¬@ƒ}|1Vè#L3É;ÃtMäƒÀQPÿô€@‹È‹EƒÀý
€#Á÷ØÀ@‰E9]uVè^D3Àƒ}•À@Ph@VèmDƒøÿ‰Eôuv9]uShPBWè¼HVhPBè±Hÿuìh¨@èÆHWhPBè™H‹EØÁøPh¨@è¤?ƒè„SÿÿÿHtVjúé2üÿÿÿuøjâè‘9ƒ}é=ýÿÿÿÈGBéâÿuøjêès9ÿôGBSSÿuôÿuàè¾ÿ
ôGBƒ}äÿ‹øuƒ}èÿtEäPEäSPÿuôÿ@ÿuôÿ@;û…ƒÿþujéVèHÿuøVèHëjîVèHh Véå	Së4j1èÄÿuØPèà>;Ä;Eà„g;Eè…-‹Eìé0jðè’ÿuÜPèZ?éjè}Pè–Gé$jèIj‰EÀ‰UÄè<Y‹ø‹EÀYj‰}ȉỦEèGP‰EÐè]G9]Ĉu‰E9]„·‹MÈ;Ë}<;ûŒ¥;ø~‹ø‹EÐÇPVèG9]}VèGE4\Õؐ
K.Ώ!э"

fPÀN\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP”32.dllÈEndPaint¼DrawTextAâFillRectÿGetClientRect
BeginPaintŽDefWindowProcA;SendMessageA“InvalidateRectÄEnableWindow*ReleaseDCGetDCÀLoadImageA€SetWindowLongAGetDlgItem­IsWindowäFindWindowExA>SendMessageTimeoutA×wsprintfA’ShowWindowWSetForegroundWindowPostQuitMessage†SetWindowTextAzSetTimerUCreateDialogParamA™DestroyWindowáExitWindowsEx*CharNextAžDialogBoxParamAöGetClassInfoA`CreateWindowExA™SystemParametersInfoARegisterClassAÆEndDialog1ScreenToClienttGetWindowRectÂEnableMenuItem\GetSystemMenuGSetClassLongA®IsWindowEnabledƒSetWindowPosZGetSysColornGetWindowLongAMSetCursorºLoadCursorA8CheckDlgButton<GetMessagePos¸LoadBitmapACallWindowProcA±IsWindowVisibleBCloseClipboardJSetClipboardDataÁEmptyClipboardöOpenClipboard¤TrackPopupMenuAppendMenuA^CreatePopupMenu]GetSystemMetricsSSetDlgItemTextAGetDlgItemTextAâMessageBoxIndirectA-CharPrevA¡DispatchMessageAPeekMessageAUSER32.dllSelectObject<SetTextColorSetBkMode:CreateFontIndirectA)CreateBrushIndirectDeleteObjectkGetDeviceCapsSetBkColorGDI32.dllšSHFileOperationA¬SHGetFileInfoAySHBrowseForFolderA¼SHGetPathFromIDListA	N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP,^ShellExecuteExAÃSHGetSpecialFolderLocationSHELL32.dlláRegEnumValueAÝRegEnumKeyA÷RegQueryValueExARegSetValueExAËRegCloseKeyØRegDeleteValueAÔRegDeleteKeyAAdjustTokenPrivilegesOLookupPrivilegeValueA¬OpenProcessToken.SetFileSecurityAìRegOpenKeyExAÑRegCreateKeyExAADVAPI32.dll8ImageList_Destroy4ImageList_AddMasked7ImageList_CreateCOMCTL32.dllCoCreateInstanceOleUninitializeîOleInitializeeCoTaskMemFreeole32.dllÀGB‰@>c@À8@
\ÿÿÿÿÿÿÿÿverifying installer: %d%%unpacking data: %d%%... %d%%Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.

More information at:
http://nsis.sf.net/NSIS_ErrorError writing temporary file. Make sure your temp folder is valid.Error N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀPelaunching installerSeShutdownPrivilegeA.tmpA~nsu _?=TMPTEMPLow\Temp /D=NCRCNSIS ErrorÿÿÿÿÞB@xK@F@9S@¾E@_Nb.exeopen%u.%u%s%s(g¸£@œ£@¸£@ˆ£@¸£@l£@`£@P£@`£@<£@4£@¨,£@µ,£@£@£@ü¢@ô¢@Ü¢@ô¢@È¢@ô¢@¸¢@VerQueryValueAGetFileVersionInfoAGetFileVersionInfoSizeAVERSIONSHGetFolderPathASHFOLDERSHAutoCompleteSHLWAPISHELL32InitiateShutdownARegDeleteKeyExAADVAPI32GetUserDefaultUILanguageGetDiskFreeSpaceExASetDefaultDllDirectoriesKERNEL32\*.*nsa
[[Rename]
%s=%s
*?|<>/":%s%s.dll0€x€ €¸€Ѐ耀€0€H€`€ix€j€o¨€gÀ€Ø€	ð			 	0	@	P	`	p	€		 °"¨X3¨B¨¨JhPhxTè`W(ˆXZø4\Õؐ
K.ڣэ"

fPÀN\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP”32.dllÈEndPaint¼DrawTextAâFillRectÿGetClientRect
BeginPaintŽDefWindowProcA;SendMessageA“InvalidateRectÄEnableWindow*ReleaseDCGetDCÀLoadImageA€SetWindowLongAGetDlgItem­IsWindowäFindWindowExA>SendMessageTimeoutA×wsprintfA’ShowWindowWSetForegroundWindowPostQuitMessage†SetWindowTextAzSetTimerUCreateDialogParamA™DestroyWindowáExitWindowsEx*CharNextAžDialogBoxParamAöGetClassInfoA`CreateWindowExA™SystemParametersInfoARegisterClassAÆEndDialog1ScreenToClienttGetWindowRectÂEnableMenuItem\GetSystemMenuGSetClassLongA®IsWindowEnabledƒSetWindowPosZGetSysColornGetWindowLongAMSetCursorºLoadCursorA8CheckDlgButton<GetMessagePos¸LoadBitmapACallWindowProcA±IsWindowVisibleBCloseClipboardJSetClipboardDataÁEmptyClipboardöOpenClipboard¤TrackPopupMenuAppendMenuA^CreatePopupMenu]GetSystemMetricsSSetDlgItemTextAGetDlgItemTextAâMessageBoxIndirectA-CharPrevA¡DispatchMessageAPeekMessageAUSER32.dllSelectObject<SetTextColorSetBkMode:CreateFontIndirectA)CreateBrushIndirectDeleteObjectkGetDeviceCapsSetBkColorGDI32.dllšSHFileOperationA¬SHGetFileInfoAySHBrowseForFolderA¼SHGetPathFromIDListA	N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP,^ShellExecuteExAÃSHGetSpecialFolderLocationSHELL32.dlláRegEnumValueAÝRegEnumKeyA÷RegQueryValueExARegSetValueExAËRegCloseKeyØRegDeleteValueAÔRegDeleteKeyAAdjustTokenPrivilegesOLookupPrivilegeValueA¬OpenProcessToken.SetFileSecurityAìRegOpenKeyExAÑRegCreateKeyExAADVAPI32.dll8ImageList_Destroy4ImageList_AddMasked7ImageList_CreateCOMCTL32.dllCoCreateInstanceOleUninitializeîOleInitializeeCoTaskMemFreeole32.dllÀGB‰@>c@À8@
\ÿÿÿÿÿÿÿÿverifying installer: %d%%unpacking data: %d%%... %d%%Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.

More information at:
http://nsis.sf.net/NSIS_ErrorError writing temporary file. Make sure your temp folder is valid.Error N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀPelaunching installerSeShutdownPrivilegeA.tmpA~nsu _?=TMPTEMPLow\Temp /D=NCRCNSIS ErrorÿÿÿÿÞB@xK@F@9S@¾E@_Nb.exeopen%u.%u%s%s(g¸£@œ£@¸£@ˆ£@¸£@l£@`£@P£@`£@<£@4£@¨,£@µ,£@£@£@ü¢@ô¢@Ü¢@ô¢@È¢@ô¢@¸¢@VerQueryValueAGetFileVersionInfoAGetFileVersionInfoSizeAVERSIONSHGetFolderPathASHFOLDERSHAutoCompleteSHLWAPISHELL32InitiateShutdownARegDeleteKeyExAADVAPI32GetUserDefaultUILanguageGetDiskFreeSpaceExASetDefaultDllDirectoriesKERNEL32\*.*nsa
[[Rename]
%s=%s
*?|<>/":%s%s.dll0€x€ €¸€Ѐ耀€0€H€`€ix€j€o¨€gÀ€Ø€	ð			 	0	@	P	`	p	€		 °"¨X3¨B¨¨JhPhxTè`W(ˆXZø4\Õؐ
K.ڥэ"

fPÀN\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP”32.dllÈEndPaint¼DrawTextAâFillRectÿGetClientRect
BeginPaintŽDefWindowProcA;SendMessageA“InvalidateRectÄEnableWindow*ReleaseDCGetDCÀLoadImageA€SetWindowLongAGetDlgItem­IsWindowäFindWindowExA>SendMessageTimeoutA×wsprintfA’ShowWindowWSetForegroundWindowPostQuitMessage†SetWindowTextAzSetTimerUCreateDialogParamA™DestroyWindowáExitWindowsEx*CharNextAžDialogBoxParamAöGetClassInfoA`CreateWindowExA™SystemParametersInfoARegisterClassAÆEndDialog1ScreenToClienttGetWindowRectÂEnableMenuItem\GetSystemMenuGSetClassLongA®IsWindowEnabledƒSetWindowPosZGetSysColornGetWindowLongAMSetCursorºLoadCursorA8CheckDlgButton<GetMessagePos¸LoadBitmapACallWindowProcA±IsWindowVisibleBCloseClipboardJSetClipboardDataÁEmptyClipboardöOpenClipboard¤TrackPopupMenuAppendMenuA^CreatePopupMenu]GetSystemMetricsSSetDlgItemTextAGetDlgItemTextAâMessageBoxIndirectA-CharPrevA¡DispatchMessageAPeekMessageAUSER32.dllSelectObject<SetTextColorSetBkMode:CreateFontIndirectA)CreateBrushIndirectDeleteObjectkGetDeviceCapsSetBkColorGDI32.dllšSHFileOperationA¬SHGetFileInfoAySHBrowseForFolderA¼SHGetPathFromIDListA	N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀP,^ShellExecuteExAÃSHGetSpecialFolderLocationSHELL32.dlláRegEnumValueAÝRegEnumKeyA÷RegQueryValueExARegSetValueExAËRegCloseKeyØRegDeleteValueAÔRegDeleteKeyAAdjustTokenPrivilegesOLookupPrivilegeValueA¬OpenProcessToken.SetFileSecurityAìRegOpenKeyExAÑRegCreateKeyExAADVAPI32.dll8ImageList_Destroy4ImageList_AddMasked7ImageList_CreateCOMCTL32.dllCoCreateInstanceOleUninitializeîOleInitializeeCoTaskMemFreeole32.dllÀGB‰@>c@À8@
\ÿÿÿÿÿÿÿÿverifying installer: %d%%unpacking data: %d%%... %d%%Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.

More information at:
http://nsis.sf.net/NSIS_ErrorError writing temporary file. Make sure your temp folder is valid.Error N\Õؐ\Õؐ
K.2E$­Ôэ"

fPÀPelaunching installerSeShutdownPrivilegeA.tmpA~nsu _?=TMPTEMPLow\Temp /D=NCRCNSIS ErrorÿÿÿÿÞB@xK@F@9S@¾E@_Nb.exeopen%u.%u%s%s(g¸£@œ£@¸£@ˆ£@¸£@l£@`£@P£@`£@<£@4£@¨,£@µ,£@£@£@ü¢@ô¢@Ü¢@ô¢@È¢@ô¢@¸¢@VerQueryValueAGetFileVersionInfoAGetFileVersionInfoSizeAVERSIONSHGetFolderPathASHFOLDERSHAutoCompleteSHLWAPISHELL32InitiateShutdownARegDeleteKeyExAADVAPI32GetUserDefaultUILanguageGetDiskFreeSpaceExASetDefaultDllDirectoriesKERNEL32\*.*nsa
[[Rename]
%s=%s
*?|<>/":%s%s.dll0€x€ €¸€Ѐ耀€0€H€`€ix€j€o¨€gÀ€Ø€	ð			 	0	@	P

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-alert-2019-05-20-T-08-09-44-05202019.0809-2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap.txt - (4544 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
05/10/2019-20:01:20.750767  [**] [1:2022050:3] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:01:20.871214  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:01:20.871214  [**] [1:2022051:2] ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:01:20.871214  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:01:20.871214  [**] [1:2023672:4] ET TROJAN JS/WSF Downloader Dec 08 2016 M4 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:01:20.871214  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 209.141.34.8:80 -> 10.5.10.102:49158
05/10/2019-20:06:39.637915  [**] [1:2016141:5] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.5.10.102:49161 -> 77.244.214.218:80
05/10/2019-20:06:39.826341  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 77.244.214.218:80 -> 10.5.10.102:49161
05/10/2019-20:06:39.826341  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 77.244.214.218:80 -> 10.5.10.102:49161
05/10/2019-20:06:39.826341  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 77.244.214.218:80 -> 10.5.10.102:49161
05/10/2019-20:06:41.138264  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.123.237.152:80 -> 10.5.10.102:49169
05/10/2019-20:06:41.138264  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.123.237.152:80 -> 10.5.10.102:49169
05/10/2019-20:11:42.007970  [**] [1:2016141:5] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.5.10.102:49172 -> 77.244.214.218:80
05/10/2019-20:11:42.197927  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 77.244.214.218:80 -> 10.5.10.102:49172
05/10/2019-20:11:42.197927  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 77.244.214.218:80 -> 10.5.10.102:49172
05/10/2019-20:11:42.197927  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 77.244.214.218:80 -> 10.5.10.102:49172
05/10/2019-20:11:42.584607  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 77.244.214.218:80 -> 10.5.10.102:49172
05/10/2019-20:11:44.835942  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.5.10.102:49175 -> 195.123.237.152:80
05/10/2019-20:11:45.199500  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.123.237.152:80 -> 10.5.10.102:49175
05/10/2019-20:11:50.597345  [**] [1:2008276:15] ET USER_AGENTS Suspicious User-Agent (contains loader) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.5.10.102:49175 -> 195.123.237.152:80
05/10/2019-20:11:50.852205  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 195.123.237.152:80 -> 10.5.10.102:49175


IDSDeathBlossom.py.log - (1220 bytes) - download
1
2
3
4
5
6
7
8
2019-05-20 08:09:33,014 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-05-20 08:09:33,774 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-05-20 08:09:33,775 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-05-20 08:09:33,775 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-05-20 08:09:33,775 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-05-20 08:09:33,776 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/c357afa0377d79ac7960d0f4c9dce2d7d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/05202019.0809-2019-05-10-traffic-caused-by-malspam-attachment-1st-run-home-Windows-computer.pcap -vvv -k none
2019-05-20 08:09:44,135 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-05-20 08:09:44,135 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 11.1311659813