Filename: zeus-sample-3.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 37.6719491482 seconds
Hash: c3cd7e69e7134beb64e7df639ee2150e
Uploaded: 1534232542

Logfiles


suricata-4.0.0-etpro-all-alert-2018-08-14-T-07-43-00-08142018.0742-zeus-sample-3.pcap.txt - (3741 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
02/26/2010-13:58:07.010545  [**] [1:2017836:4] ET TROJAN Possible Zbot Activity Common Download Struct [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1032 -> 188.72.243.72:80
02/26/2010-13:58:07.010545  [**] [1:2018052:7] ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1032 -> 188.72.243.72:80
02/26/2010-13:58:37.159880  [**] [1:2016858:10] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
02/26/2010-13:58:37.159880  [**] [1:2019141:3] ET TROJAN Zbot POST Request to C2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
02/26/2010-13:58:37.333324  [**] [1:2016858:10] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80
02/26/2010-13:58:37.333324  [**] [1:2019141:3] ET TROJAN Zbot POST Request to C2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80
02/26/2010-13:58:37.439179  [**] [1:2018403:10] ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80
02/26/2010-13:58:37.439179  [**] [1:2019714:10] ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.3.65:1033 -> 188.72.243.72:80
02/26/2010-13:58:38.553613  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033
02/26/2010-13:58:38.553613  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033
02/26/2010-13:58:40.816152  [**] [1:2016858:10] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
02/26/2010-13:58:40.816152  [**] [1:2019141:3] ET TROJAN Zbot POST Request to C2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1034 -> 188.72.243.72:80
02/26/2010-13:58:41.765028  [**] [1:2018403:10] ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1035 -> 188.72.243.72:80
02/26/2010-13:58:41.765028  [**] [1:2019714:10] ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.3.65:1035 -> 188.72.243.72:80
02/26/2010-13:58:43.097366  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035
02/26/2010-13:58:57.960729  [**] [1:2016858:10] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80
02/26/2010-13:58:57.960729  [**] [1:2019141:3] ET TROJAN Zbot POST Request to C2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80


packet_stats.log - (9129 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          1107          1518774      548010267     307778438        340.7b  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          1107            70623       27096240        550395        609.3m   96.34
TMM_RECEIVEPCAPFILE         IPv4       6          1105             2640       16024086         17778         19.6m    3.11
TMM_DECODEPCAPFILE          IPv4       6          1105             2769          44874          3154          3.5m    0.55

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          1105             2811         258390          4455          4.9m  0.88  
stream                  IPv4       6          1107             2799         499314         11718         13.0m  2.31  
detect                  IPv4       6          1107            46422       16542996        487785        540.0m  96.09 
tcp-prune               IPv4       6          1107             2622         105309          3681          4.1m  0.73  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             6             3600          51684         20624        123.7k  100.00

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             9            49266         289908        100421        903.8k  3.24  
LOGGER_UNIFIED2             IPv4       6             9            39426         230742        101478        913.3k  3.28  
LOGGER_JSON_ALERT           IPv4       6             9           131244       22572285       2637846         23.7m  85.23 
LOGGER_JSON_HTTP            IPv4       6             7            47097         296142        143212          1.0m  3.60  
LOGGER_JSON_FILE            IPv4       6            11            61161         223695        117641          1.3m  4.65  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           683             2760         140553         32821        22.4m  10.13 
stream                            IPv4       6           683             2613         743337         65935        45.0m  20.36 
http_uri                          IPv4       6             7            10635          19923         16943       118.6k  0.05  
http_request_line                 IPv4       6             7             7656          12822          9337        65.4k  0.03  
http_client_body                  IPv4       6             7             3009          51228         22125       154.9k  0.07  
http_header (request)             IPv4       6             7            46866          78330         66403       464.8k  0.21  
http_header (request trailer)     IPv4       6             7             2709           4530          3202        22.4k  0.01  
http_header_names (request)       IPv4       6             7            14760          26439         21822       152.8k  0.07  
http_accept (request)             IPv4       6             7             3603           4626          4125        28.9k  0.01  
http_referer (request)            IPv4       6             7             3078          81960         14754       103.3k  0.05  
http_content_len (request)        IPv4       6             7             3498           7038          5243        36.7k  0.02  
http_content_type (request)       IPv4       6             7             3387           4476          3829        26.8k  0.01  
http_protocol (request)           IPv4       6             7             3855           7335          5471        38.3k  0.02  
http_start (request)              IPv4       6             7             9366          38439         18673       130.7k  0.06  
http_raw_header (request)         IPv4       6             7            10821          36771         17863       125.0k  0.06  
http_method                       IPv4       6             7             5895          25485          9748        68.2k  0.03  
http_cookie (request)             IPv4       6             7             3273           5631          4060        28.4k  0.01  
http_raw_uri                      IPv4       6             7             3927           7596          5513        38.6k  0.02  
http_user_agent                   IPv4       6             7            18264          52005         31909       223.4k  0.10  
http_host                         IPv4       6             7             6099          10164          8672        60.7k  0.03  
http_response_line                IPv4       6             7             9663          14058         11515        80.6k  0.04  
http_header (response)            IPv4       6             7            54210          85830         65318       457.2k  0.21  
http_header (response trailer)    IPv4       6             7             3435           7491          5319        37.2k  0.02  
http_content_type (response)      IPv4       6             7             9057          15237         10867        76.1k  0.03  
http_raw_header (response)        IPv4       6           657             5442          41949          6876         4.5m  2.04  
http_cookie (response)            IPv4       6             7             3363           5610          4016        28.1k  0.01  
http_stat_code                    IPv4       6             7             4512           5370          4697        32.9k  0.01  
file_data (http response)         IPv4       6           650             2658       16110081        225585       146.6m  66.29 
Total                             IPv4                  2841                                         77859       221.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            10             4098         236688         73407        734.1k  0.09  
PROF_DETECT_RULES           IPv4       6          1107             2622       11788659        173541        192.1m  23.20 
PROF_DETECT_STATEFUL_START    IPv4       6           631             5289        3134754        147892         93.3m  11.27 
PROF_DETECT_STATEFUL_CONT    IPv4       6          1107             2628         507885         20129         22.3m  2.69  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          1087             2640          71712          3163          3.4m  0.42  
PROF_DETECT_PREFILTER       IPv4       6          1107             8085       16336872        233760        258.8m  31.25 
PROF_DETECT_PF_PAYLOAD      IPv4       6           683            14565         775347        107913         73.7m  8.90  
PROF_DETECT_PF_TX           IPv4       6          1087             2646       16130244        149410        162.4m  19.61 
PROF_DETECT_PF_SORT1        IPv4       6           590             2604          61770          4008          2.4m  0.29  
PROF_DETECT_PF_SORT2        IPv4       6          1107             2601          39870          3324          3.7m  0.44  
PROF_DETECT_NONMPMLIST      IPv4       6          1107             2613         141912          3543          3.9m  0.47  
PROF_DETECT_ALERT           IPv4       6          1107             2601          66990          3327          3.7m  0.44  
PROF_DETECT_CLEANUP         IPv4       6          1107             2643         338433          3623          4.0m  0.48  
PROF_DETECT_GETSGH          IPv4       6          1107             2604          33303          3276          3.6m  0.44  


unified2.alert.1534232578 - (46542 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
4K‡Óo)1Ê,À¨A¼HóHPK‡ÓoK‡Óo)1åE×F§À¨A¼HóHPPGET /kartos/kartos.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Pragma: no-cache

4K‡Óo)1ËÀ¨A¼HóHPK‡ÓoK‡Óo)1åE×F§À¨A¼HóHPPGET /kartos/kartos.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Pragma: no-cache

4K‡ÓpˆÆZ
À¨A¼HóH
PK‡ÓK‡ÓpˆcEUE)À¨A¼HóH
PPJ†POST /kartos/youyou.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Content-Length: 355
Connection: Keep-Alive
Pragma: no-cache

Øç½€xWER{ŽF‚VɁ»<ûQ~ζZ2ú»9Q#lȬBÔQ¸ÓÕ,éìÛQÖB–=|_¶õÍ@tF@9Ÿ]«v•ÏªÀû‹\oõs
QÒq8VknhíÊîí1M	<Û9#+ðÎ«t5xEºš+*Ì0b} hØNj"&sÞéþçËÍfL‰ª5mÁ«Êœí8BÂóa%£~o]žIi¨†–úÀ2½$åvj¨N+áøT™$ØƲT^[ÝËI‘HTÝÕÎÛ£™R£g.z£B Ý¦ ŒÁ…÷^׃|§,¬ŒàÑ3ò՗üÔ¼ûS3lÝ!OÂFöHVRKPû2­ŠµØÚƒÒü'b@aÔ"v{0Gîô…8Ù|ú¨ ¥¸² ±QHáú½\_ÄàÀNŽ}fŽ¶ÆÖ%2'MŸ¦
93Ä^é)~ªo4K‡ÓpˆÏEÀ¨A¼HóH
PK‡ÓK‡ÓpˆcEUE)À¨A¼HóH
PPJ†POST /kartos/youyou.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Content-Length: 355
Connection: Keep-Alive
Pragma: no-cache

Øç½€xWER{ŽF‚VɁ»<ûQ~ζZ2ú»9Q#lȬBÔQ¸ÓÕ,éìÛQÖB–=|_¶õÍ@tF@9Ÿ]«v•ÏªÀû‹\oõs
QÒq8VknhíÊîí1M	<Û9#+ðÎ«t5xEºš+*Ì0b} hØNj"&sÞéþçËÍfL‰ª5mÁ«Êœí8BÂóa%£~o]žIi¨†–úÀ2½$åvj¨N+áøT™$ØƲT^[ÝËI‘HTÝÕÎÛ£™R£g.z£B Ý¦ ŒÁ…÷^׃|§,¬ŒàÑ3ò՗üÔ¼ûS3lÝ!OÂFöHVRKPû2­ŠµØÚƒÒü'b@aÔ"v{0Gîô…8Ù|ú¨ ¥¸² ±QHáú½\_ÄàÀNŽ}fŽ¶ÆÖ%2'MŸ¦
93Ä^é)~ªo4K‡ÓÆZ
À¨A¼HóH	P+K‡ÓK‡ÓEE}À¨A¼HóH	PP~ßPOST /kartos/youyou.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Content-Length: 271
Connection: Keep-Alive
Pragma: no-cache

´ç½€xWER{Žéð˜,0ª¹4dÃX^ú+ƒ2ú»9Q#lȬBÔQ¸ÓÕ,éìÛQÖB–=|_¶õÍ@tF@9Ÿ]«v•ÏªÀû‹\oõs
QÒq8VknhíÊîí1M	<Û9#+ðÎ«t5xE˜š+*Ì0b} hØNj"&sÞéþçËÍfL‰ª5mÁ«ÊœíãÍÂóa%£~o]žIi¨†–úÀ2½$åvj¨N+áøT™$ØƲT^[ÝËI‘HTÝÕÎÛ£™R£g.z£B Ý‚ ŒÁ¡÷3d‹Ô ÎhãÛ³fN¡ò•çMWϞ!E™qRa§>“kqRKRû2­Š4K‡ÓÏEÀ¨A¼HóH	P+K‡ÓK‡ÓEE}À¨A¼HóH	PP~ßPOST /kartos/youyou.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Content-Length: 271
Connection: Keep-Alive
Pragma: no-cache

´ç½€xWER{Žéð˜,0ª¹4dÃX^ú+ƒ2ú»9Q#lȬBÔQ¸ÓÕ,éìÛQÖB–=|_¶õÍ@tF@9Ÿ]«v•ÏªÀû‹\oõs
QÒq8VknhíÊîí1M	<Û9#+ðÎ«t5xE˜š+*Ì0b} hØNj"&sÞéþçËÍfL‰ª5mÁ«ÊœíãÍÂóa%£~o]žIi¨†–úÀ2½$åvj¨N+áøT™$ØƲT^[ÝËI‘HTÝÕÎÛ£™R£g.z£B Ý‚ ŒÁ¡÷3d‹Ô ÎhãÛ³fN¡ò•çMWϞ!E™qRa§>“kqRKRû2­Š4K‡Ó³‹Ìc
À¨A¼HóH	PþK‡ÓK‡Ó³‹âEÔFªÀ¨A¼HóH	PP#IGET /kartos/krt.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Pragma: no-cache

4K‡Ó³‹т
À¨A¼HóH	PþK‡ÓK‡Ó³‹âEÔFªÀ¨A¼HóH	PP#IGET /kartos/krt.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ishi-bati.com
Pragma: no-cache

4	K‡ÓŽrΏ!¼HóHÀ¨AP	¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	P0l²<‡ßÙø߂²u4±Râ1«Ô~…8¤ŠŒ	$mÒsgªZŽÖl:Ö`æ2|PgQS­óôXrŠK‰J"ô•÷f
êÜH}üCŽtS½«n°Åš+¶Éô=|)¦“<0jQÖû€z¦Y3”ôõŸÈŽX“„ÿÚ¥±Õ¡
{˜à]q¯­Î†¾2z³ŽPž×à]ƒq°#Ÿ<úOl%J8iƒ¡ðŸÆ¡ŸÃ4ªíàÚøÐ.¬ý’hÿ_×ì†	Qž‹_bšË¿xÉ~þû¯L¢jKã_ï¯ék^SÐê4b;ASHtì¦è§*Ÿ˜ ÿ‰óT¥^·…±È0Ñ0JcšC÷°"ÛdQ«-bÛXýs0ƏEeÑàjëRžVڎü|¼j:¤œK
æ‚.sõ~åñeY]™È%šö
ˆiu|V{y%"åÖ¶[nªÃ?ý™xWëœndªÐ>1“­™ça¤¶ÄO´‚\3Ëþq¹Ke¦£¡kS„ØÐ$
ßM&kÂ!ðK¡Þ~. f@åtùÞ.CÅ^›ë.õ2Wa÷É ‡jŸ›§÷²§*xÌT%‹„´Œû´ä™Å#Î.Á3'œE“JµÝL5W_҆óÙ~,ûôÙÉ%G͛	.r.9ä§bd°Ì(²ïˆÈ°+éÍ¡ùaµÏ~W`é8җDÕðÜkÃØė™u‡dr`.ÙeVÜß]íbÌ[‡c•`pÿË(/¿Ã£æà}"‹JéIG5ñ.G¨n[EyýÃDHLĤ¶ˆ±ûÒcüo½oty>º®“	íȕb•É! µôw§úeÞ-ðm
ƙp,‹Ç´ÉµÊ–vݼÚÙRꝰOvôûˆÄ¡ìæضp
ßÙ}ϯº²Ñr´0*–#ÙQ%Ô7ÖcÁØëäî0ËD͉WâŸÈX+	<ë9zR.$„¾ä)µ>)-_0ÑáB¸^zÖB¤,›Æä ¼ iÿ4ø÷k^æãtáPEõ¥'Üi¶òçoz'/†ü•.&Œd©9*֑¤åK^Øáïà‰3(´„’É>K*í.¥eìú: 
!›<&‘%GB÷{*ϕ~Òú`„ʜ/ߟ\ˆ‡Ù£3¸/X÷èòZÝÍ%†–Èm¶Îndÿ6ìӃS§cwû͏7?=œÒLï.Ð;ˆÒ…
ÿ÷ö]D‡‚Ú‘Vä°?m•^Éf®g†³Ð?ïÊ!&„%˜$Ó¢/õY	äì­÷àïìºDeIî·í,eó26ü
 Ã8Ê/Rm»‘mÉÅtR½%Ũ0‹lÙþ sŠJe“jÛ
’b}×.Ö¶·ì¡¯OJ%ÁWWÕåùãðˆ‹Qi?»/‚š™ÏÒ£%Áü"èPûüc\½ÀÜ8ºX0u^¼³Ì[fºô:p/\ŒŸ°lï9%É(|£?fظ0ô6§¿È€»]ÿ—T8&ŸdT&Œ
Ø%Ÿ%á	M¬öžE
Ùñq3HÑ€‰Ås´›ãëkj˜ÐšvÁ‰Ât
à,)&Ï(›×wŽ:ìv»rÿ<—ää=ÿlý{uò˜@{´´°
Bn|R\¦}£ÍŽmftÛþS›=È'?¤æ¯TE`0ƒ×šòQ¤š2Û9њ­r¬Ätú£2bGø© Œßu¿ñ³áx,SeÍ㒬H‘•4>žx‰.Òê¶ý;_9˜¢KemQ¿å³?4`Z¶]€fdÿ…oÕ§TGíµb«©¿ÀXé—Q¬Y¤‰D/®Äu
Ûï¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	PÎW7H;Ûü©jP$ßûqy{}JZFeoK¯Ë˜bá4+¨ˆK°c6'|OŠåë>†±*öÄ8õ8ëȘ›”ňÿ»pab­#$S…d	2*J¦ÀìÖ ´M8'ÌyûÚvñQ6|’½®Ì墴K‘³Þ…Ú.C†‰óôî40<ŽyçÊñg?õ¢Ê»84èµZÀâÙëœ$™7Óؙ>I${Ä
v·æð=y¢qß?+ÅÃ{ÓbùÑYz¦6ßlÄMÚ°…x™-ä#áÕ	þy£›^Š¼ß+,ÿÆÂPOùHBqº#d8£fTÀƒÅRñö~C)’¥Ä¡àqô?Úø!IW-Þý¡݁L{©ë­“¯G^©ót4‘L¡ôQµM†Ç™UZÌ;"Í®Ežw*Ä˜å¯"äO	
ñ‹
’SGŒ*ý^oe§±5'Pñ‹e°™„ŸÁDæØ;҄7»Y•'Cõ4#Êi!:d˜¹XC"±	2:̉{%<Øy¨iÞ²£Ï[Þ"ƒ5=Žàt&½Å¤S™Ö	)Ö?_q&C™n©7"ÐÅc2T;ÐÜ9u«¹B_õ´û@yî/¬ºNKŽ(%¢Lºš!/Y ¡ðN9P1¾PxUúÙPÏT«¨l˜ø‚áÓoB;ì¥ÊV£aâÃO^¸ðf*ufªEò#ìð€þ)§tƒÊî^¬ßÀÓï=E[4Dì°B'˜°û8È|4B£›!‹Ü~GÌÀXÄ¢c¨ÆQ“̆×-ƒQ*\o'^‹R`®ÊD^ÿiÅ÷“pçÊÿÌï½H9ù^žä™@û7bb§R1Ò÷̱ßÔïB3¾ú7Q|2ÆlîMa=ýÞëþZ2D<béӇƒ×œ>Œ)ûŠ[ŀø€LȜ.͙-#qˆA­¨Ør&adO˜Ép”PZLö7UOTB½sŽ6Þuž$õ~l|F<zKÔ\2#¨“\ÎÍýóvØe¶.òs°.ëÊëÌ]‰êEQ€w)Ñúg®©úCi1H€Ñl,ҕxG8áȖTÕ.|³ßs¤<¯á ~²Ãÿ¬1½K½ŸØ«t=ƒ¾F_ùëï4úœXc]ìPͺG¯mÛÔÊ	óYYì
1qà)™)nÓcºOQFÆ
^ôëw:ìÍ4pr|
~: ýŒ:(–’ðQáåäxŽ;©å«ˆ$=î’YPíëµË&9÷²Pm~‰S^O1_XWô)`£`Ã-AÞHv¢yôÓîkKÛ7ÜÛþ7òýÏоj%c±Î%ñrf·Ý
£¯Éª½¤Ca,toÉ?ë<¾PÇÉÝ‚ÌSU>›Æž„ä
¥.ãà<?QkîÂè²&™…Þ°«Ïv‹®}.‚7E½T¸]í«%-։jådŽ8ýŒ§ÖâÐ@ùÉDüCً?J€ÜDÄÃÓúñ^œÇÃm‘OK GL59¾LóT;¦-ySd°öJýI¤Åà¹"þ›?¤%ÊeÊ|³ÙŽ†¨68Á^ö}ï~ä?•UwƂ‘‘ÊÕÈÜ(¯¨ÔM·§ÐÑÞb[‰û[»Â+cú䣸ƒv3èq­{Ük…¨ý1³²òÄÚi1)8jö-sé#ƒsß·¹pŸ¥”›µ5©w-™*úlA©ÄæßÍm@2’%wçÝ}èd@AÏê¦@¬ácê”P}-ÅLŒ›A’61|¤B¦Ó?¨XñG÷	:-Ÿªæ¸B¡|t4X"ñms
 ¾ÎuÁ‡âŒ,á¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	PZ1Ó/h†‹`¸Ó‹ÊÃò
‡Âöí=l˜½RXy¨ÅÔ¢·T•—1¿¯ŠÕö]%ªÆó•‡Ê ýŠQ\G›t£½£/햵䪴†à pû¨©‹¡§}…ÌõÃIUAÀ)£WbĹÜ
óՀHUl¾Ñ›\35þ~áÓ-üîß+]B ÈYÊÖØà#FáÝٝé£Ñ›:öȆ”ÿªýF¤§X ÅY×`§†©¡7Êa¤»‰þàÆ´³53ƒ«ñ(moÉ?†Í?m¬4/àÒÐò;
Ô
¹f:0õ—–x­€Ø$í›7ºíüƒ´0Bõ”GC‚*•×îS§(â¹[]ª–·ŸQ)Ûš‘#ÜöoÔzpVx“q‡‰RU‘qRÌcò&ÖYP˜Ø£hÀbñ#0:X/Æb|ã2Þ'Ö«ÓQâê¸
7ŸFÉáڗΨsGXRÂËÎn…¯}‹B<ÀË-ðÒMѪ¬eZþœ§ËúþË̈́Á€´qC ÷PRÛTj¼5©È•ÃúÖµ2€âè…83¸‚›Ë¾±2ö{×ÿ6-î¼EÓ'Òe¶»FjÝ¤‡#`œ‡ÚG:íRoÍÖYâõoHDýTFÞÈݟ®|J?ø2ÚÉ *£jʕئ‘¹K~)3BtÂ6-^ØþLsâz=›r”«eV$îwž‰RÿßÁ”7ºîSދBˆE³
Ü?•:LÜw ªLê$«´èÌ·ø
RÅÂ^Ë©°b^E潗v@¤Ã¹` ‚©×¤—Ëo ŽL'c#Z‘~,%š{ç>Œ38	¥'%–0¢žŠÚ…ì‘èK&NL!óìÐ41<î¶égØ	¢ŒOèŽwoŸl´iâI‡¡jãù¹Ü$«³Óč­b!•\ŠRâ•·!k’vwXx¤þܹÏõ ˜¦4ø’Y0‚Å…BüRBö“㡵?Å[gÄ<,z@‹8AÉ$»…€p>ç4„xŽNò-%”Ó$MZôÔO܍ɏÁ+_Bšd÷æDh•µIè¯}‰èšõ&?A„qóÅz £¬Þ¹¼6íÏ)僚Má­Bâ?	ãìTÀ8
ñŸápõk½¬j•qc—»šÁÛ½–x‚YÒ"ƒ‹Ûé"bµ§ò«wÀÔÙµ)nÿeïJ"É<Z/–SJ”*̼:ž]YMè!UÐîz×Êwcµsºj㊱H}XbµFÿ`¥{Éæa¤ß/T¨9TX™hÙô•‘?^	¼HQÂ?ì%J`EÔ)tZÝi'ï¹fT_±¢´¤OÕ!˜:Ao“Që`ÉEMN¶À°n·‘íÏ1*6	-íðߒDîϟòu•÷¨»Ôœ;ÍfBʈHBäܖöV¬‹–Í:сý³v¦¡Ši¢uړ(ÌæÇé%y¨6XrV¬®/ò;ÖEàþ¥ú¢’
dºŽÝžy²rÐïHÙ³ça¤ý3@)¶Ç½ô(	®äŽ«~Mk½}t3ûùÖ
æ!Õ›ÿ±¾Ÿ¶0q(¥àqØ«ŸÅMSøÑ:yGtÈ5‘M¦uj*¯¢§Žâê+æŽ#¨7Ç*5i¥³ŠR=â)ü¼£×@ÍË
«ÉDq\
áæ¡]äæoVð¶ş¥)·—}·‰Ö]r–»TÁÓêÇsiø’£ÜEOGÿÎä!`d³l-X@«Ú¼Æ³
+vH;g\ÖˆþF
ÈÎ$åóôïLŽ'Yÿ U&s5ŒŽœ¡ºp ÆgsE§¯J¯™¤æÅ/PØꈈþàŠ½ò¦½¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	P%Ĉ¤ÍgfƒaáBÇÛ(Æ_sx%1d#ºÙØP§Ã0Igᶮ}ŽFg6º*v¦Y2{m©9r‹âÓý}]CÇaû˜¶0â51æ#)
Dä¹ëð½Æw\]JÞcKl{f„2zyû祼Í
Æ<¸ª…tS0dQ7@î€3äU«)”v«Oëí¯oJ†g)]×ã[r49ˆ€ÆòúBN\>nƒóC³ºšÌ—¯Hþ…̤ÃLÞhiÎÓ…›Äwîw˜B%	/:&!x¾†;èc››U6ÄôŸHJ™mË£)@7Ë·£¸/Ì͋~Vú†·¡`eâ³Úú*ãÈwþzñòúý;Ðpî	ŽfâðœÞv­CIÌy;ê—Aª/Tœüm8	¥RÜ7ÎN¨¯j•2u>o	Ãç>¨¡Z5Uôes5LI=N£÷Ëï=íË$˜^ÊFÝçÂïØË?ÈJVBþ4×ëCÝNvØi˅úÍÜStA4ØÜÚwâ¹áwXh¹P`ԞaUç¿8tGP¾Z…iÂk:Å_Œ"4ÞªééH´ëÕa%&Ïì[2ÍMA¯Qé(##&
ž–·„M§ÑyûR³z-€„±e©®^LXÙâ¡2zåÞ£±l
ÏCZ'Ëúl>Þ: U™¡Jô9õ:Yçë3ô‚.	oɖªa®½eç½;©ì]tSí¢c¸—ã	CE†Ph.óÚjê_
,ëèõ$D—‹¸™¡åf
V“j=ûìć-»ƒS™ fSl“ÚZ¬	«°Ç•LÌ`üµ«¿%‹ˆ›‹çx¤†û¦pñ¾Šû“´ÑÓÞÈAw{ÎFÿtÄÁšA
G7'-ì%b4ÇÒr†æyX8àÔP–bÑYg«h›}sïIg"f>å}ýPœ*t³ýÝï%ðµ^hÓòm{ѝ‡aÌÿ$*^§BSRüÛµâæžZe«ãþ@€ìx3€ýï,|h:¯dÕÛ¤F”Î{¸4¹
˜Îm"ŒnB=~ÙÄyϵÿ7‘l×;7·y—>-ù-~—Y{ÕãôÅóg¯lTü¨ß•©¿xvÞg'µ*c
‘If(m=ìGZt÷ño–¿O.gôQ1}­ž¬.*IíHTAâÃ|ûb0ñ£ö‘ñ¥‚Œ#=Ÿ~µCvjŠ©Œ:ìO¥©ÿÖacq!x‡Y¬´`Š%úú.Àgâ`„ßû‡-	[£/b‚kx<¶›ˆ´’iØôaÇ+Aé–U?/τ³aû…ÎD^u*Ú¹ZþÑ8F`æ^æÂ9¡¡âTI™û 7J½lë.æh>Ìl 8bA["µä§¼´®u¼(ۜã(ù'ĊÖs8£éÅWû²ÒM†ÄùIù_Ïv2+Îá@úòÇäƱ·óÆüó7ȓ
QxôzPÿTe£’å¢ùÜýŠŠ—ˆË&!q³ŽuÆxehˆûš$áF8øOð¦]¥ÍæÂ5Whƒ”ë#wóð´Sb­©P™…Y
ᓔºµãÛõÌW›0ð­Û¹x}l	yÎç¿šø\fNjÂ#Ԙ/ÙtTõÏ,õ‹ÑŸÿ×Ù¦P*§ʀY0ØÜÂ䃅åPW£z,Ÿ{I‹b<-íc.Í¿Õ]\U,—‡úè	ç·òž"±%lºS!eIuÞkIV+-»kÁ‘s<ÇûAšíÚõ2š¸×ØÖ¡F‚þ6†¨ïâw.[Z‘°Ð:¤Ê*NfSíÕñ°h3Ñ\0ý·^ƒ¸¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	PE±nP!ÜøvÌW{l~юÓZîMHG¸2¦/9Â۝9"÷²ÆP¬;¦‡y$$p)ö…®_’v¡m«EÉD¶vïg­>rKb|ÒU‹¸F°&ooCö©o%Ñí~+¾ì/ò²‰™†ÇÈ¥U¶W¹¼B ^%-_ÉYÕÄëwµß^?ÍÑÿŠ/üýüyµý<N, ×IDz€\+\ú‰$VúEGlIr"§y¦ÛÙÊ”qÐùؚ¿[øÑü–ë,¤sºR´ï®W­SÌy\ë5íÙR+ÿ¾ã‰©½³ìځ¦<Q´X>Ê[:w/Ø|Ӑ¼`.Ê »€DÚMÊY&p0ÎáÁ|‰™Ä-Wõ0N„…TþùwŸÚŠE šc†ÅAýz/éw”ªö÷óÈá¹(o¾Iªv\QÖ´›ô Š§´Ôô¿ ;çYl%É¿±I
ý¡%ä¸âÿ²¶‰3pr¹WFÍaƒ•7:\·TH‡\‡ç©‰hÁž™öŽ^ìó”¤j‹Íøj}.}<o£Ž¥,AŽejEö»ü$Œtښ+²’l{ôq²Q	¶s’Ðà_.Í@p!Œ’7MËspkÖîá¢,o:5N[îùN}c®xÚè®Ñ¦ï.õ¥¥oñ	}ƒw/E×4:‹•‡Yà›FÊ4Íç½iî[s¨>v;¦WÞÉύàŒux4ß-šõ3‘ûɉÌü²9,ŸÚýÜÒЮƒ¬v¶Ô½Oûª)Õ·àÐZWâz74ˆ(²f?õÐOw¬@.IeOñd»£ä(kÍ×Òö!5r®jB°‹bœšãk֛wŠ`ù꼌¹E1·EÃ^ë½øa†t°6ݜ`ã‡1n˜À^¸Rn–£•ºqÀ®½É»‚“IÔÆiDòHí²-JßûÐxCÞUl}m«óÀÊ+ܽ/Óÿ`Äl*ü¦õÞ	;Bg{j÷°»ò§Ýñ‹ßtÖm£sdoÇ1óŽ"Z Dì6 /¥9Á¶'è³ýfS3íEïý}ôë¯ôÇ°.9à†L¨Çð{ò+¿M@‡¼ÁC/W+n$Ð#[Ù­0½j§·J£^œñ5µ{ÙO\Ôsãñc…øE¨¼‚γ—jK´#ã¬ÙäÝ$©]³ë
Þ¥“Ÿ+0p &®ç]\jñ²Ü4=)xO“xö»[ókçÑsÿÖ6Gâ`}A'
ìÞÐÀ Žñtu‡†R O1íì?/ã½£Gƒò‚i{x6Œë¼[•Ÿ*Ûû”[hæˆBG˜Œ&&¤ýûù/óËØ1ìÏÚ¢òµ``–@v <I<fQ¨QHÉ6g~×v®ëìoÊðÂ4áÔ§({Ë
½ºµ¤cƒGè4¼
‹ZŽˆÎèì#úvs³¦Ör?EáÐy02öì÷Ô²@ˆ@ {…ÄeÞÜa®J>ùÿ6w%Eõ+ȃ¶ã݀ò«	м©QºÄ:&Hi¡¢jæõñ@D,TÚZdÆ®mß©~.¯ù)&}"§îép$ª-T5ïw¢Á*8•mñE°eÃûÒÕXŽk#š	‹Ÿ÷Ó¡š¥l¬6>
ÃèNþA¬ç‘Ä(?d¬¸ÝšÐ¡Õ”ÌmXŒ9íÿ_ߝ7âàä¦P_G-@Hœ6){HDJ¢H`:,Kí½Z×!§–>Œ3«üìMkµ¦µ
ÆKK´¢ çÝa¡2*õ›ÚãV§0¡¸Nø•Á1˜6v3„&)4L'Ç]¸Ž!Ö@»Œê9§à8c4(pÑSä.;¦{v‰"'ò!úÝ·¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	P×ÊMô;MCÖF­(ÈÁBî{ˆ³âU²7Ël«&L\$þàFàËße’ÙPžÌ…OP»Sq-•­IQ³ َ7'êí*­3S
ÕTgj@±äG$W¬ÓM$tüß³œ]ÀšE¿Z²MC>‘“?Ñ¡ÿo®âîZX*ÎÄyXY²Æ>áº4
hNí‰F?Aú
Ô|£4q#7¹3…tæ–ÒªfhH³¹«š&à+¡z‹FWPÎújIÚ;n"¿Ç¡‰^]·t(êŸÜÕåÄ
o[FÈ ÑÎJÔ>Ÿ…È8oŽ^~å8¿ü%×ðèÐñnØþ±\‡·ÞZ¢Ò_mÆPF:^-¡_~_!Å‚ÂóO0þêG2¼bÞ«H<Ÿ‡Û¯Ýº‡'Ýc¢Ç	Ê©Ò&¾4d€<	‘•$éر
è&;Šq͝î^ö¥„´²s	 ×HàÌ6U&A>ƒÍ?(™þDŽàž°Í%ù™uY˜ŸQ:À‚Ö¯pD¿ïtœ§ò’Ê.LW
9Ý=œK”-XÀܐ÷ T}îeà%6ú¡Köd°Æ?tp:KNóPvAÙ¨f>@ájüuî=JƲ]×Ѝ}5š+¯£µc—L-œs'ö‚?@†YGÁÍgšÐuBèÄ2m=«gÁµLHélU®	\]îjW&Fsú¥Fè1+§­Ã:Ð~Kv¶8þâ)ǞKFý6fyºî®b¤Ëb;@P¼×9¸ü\ÑÝ6¥+
L7sÎ\ iîÁÃë\ŸžGcf…¯‚+‘0!¹½6¹÷Á~ß4|¾c|:®5[!¢/ãá7
qƒÉ'’W=HHñªéDÔX’£F¸mÂï*tiÖÄ$€ÂHÞ댔ëå·D$ñ«³Í¤ŸLåoìü%–×ú®æé6Vá/À\!P1eʯÝRE¹øþ=ýAœéðñ1x½èD ç:»E	´É~Ô΍÷ùŒ§áXÙÿüÂóaÏئÙÅ&¤,áͤ’ÑP Î_å|DÒZ—ä¼ â4
9D’9vkF(ÏȖ‰÷È|Ü0`O•ICù1ՄP»Ç’-˜€·&j•X†É&ÓX×®M¤dŠ´Ïv:]œãÇë§j¡ðXÆC뛷O«[/¦`rÞ¯¿]÷ƘSo8¼ž
Yüöíšlgڀ[=D—Ô*EûÝÜØ	yÿÃÛYµ‘¾þª‹îf4ðPu†?)ãÉùN{’ïG½ËÍN«ÐVí–uƱŠ ’°Y(tß>Êd]­\4ñÍÆ,(ÉmA/£Y;ä	½X}ZfÝޗÄO*9‚õ…•óNæÕÞZ,јtDJ	ü’öjÎùÿÁ”°/X[*-×p¬èÔÁ#1O‚Øc²îòcîÌNpã2ø}]zvh6£]Dwe#8ðMum<O¤B‚-NøhI
xÎ>ç|8•Ï¾'?%¶žaFqGÃ¥—$$ôhÏÃÀBð*§â¸øç”ûT ë«Þhj þyÑøA4o¹2³Á'üJúQýü3qWNX¸Ôn±‹žÔ@¦`SCÅb!›¡i5>‰·R¥DÛH¤•»Ÿ4{s󳬣÷vð.]~—똙é¨ÝMõxôÅø/{¦65}ࢱ~®
«ÆQ÷Õ¬UŠq¸¾ð¹²Íôbú;¼[;­ˆRaXÅx눀N³xY}O{¨’/Î÷q¡$7kö++ôó“ø4=dÂ5æØãH™.†ƒ¨$Ù5¸ÝK*"/§‡ S‘ó“U’d!Wñ7î y×Ð_äãÂi
ûU'ˆÁ—wBæ=Î\—Y˜¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	PL»õÂö¡©“ÆHëR
¸öX`~v{ú\tLÚ´$¤W»ïÈE¼ÌOfÓØ@€ÎŸ·—D;D«–¶·â±×&$y»—=å‹i‚ö„tÎZ?VFzSŒ	¿+Ñ|7ŠûóŠ:a¡©Ô¥_¬yëf*L¾…Öª’¸°$Ã8,!QÖrêìÀ°Ò8*0¬ëT€s·šô§Ήí(¿Ê=Ì/'˜v]«×wQ[ó€•í&
ñÝÞ㌝d°Ôtþ8‰£U%Šª€ß¥rCwђÍÐ%…·ÌÙ]uóOׂF¿¹¿ö³˜¯f{Pùíù\2ØÏø!`ª#®OM®ÁBiˆÎ,wOiMòZ¶¦Šn¼Ë8/çƒiçíü”Ø·­* Oú˜í'|Þ«\öî
“O€Q.
>	«Ã±ˆ(~ñÂ¡à †¢SÔg~ÉDŸW‡…™Me¬Et$VăêXŠálmúN3übÞ~K¿@f¥WyŽHÂp(ó^…d#Xõ×½¤ú³:ß$R¿@\IR˜†ˆ?ªÑďŒè‘ôLS’näÑ&B¬‡|÷7ñѲà÷\‘3ÜZˆÍôÆO¸éGØӲܣOC¸Ý¾|±š3—ó¶Ý­í6¬ãŠ\âۄôûp.'ïñhd2bÇN7bߪ„à!¦H}ÄÓ) 6 &ç>µpunH$Þö¤ùÑ>“ˆÐ±¹§œôÈ"¦ðÉKA¬rtêbÐÇ9Úaሲ즎»ÄŸ‹ö™9¼ [çZ[()ˆ£	ëQŽäA1àœ®úŽewöz$q7Û}ƒpöšx:o¯*-%9¢
Gfdœ½5¦¡°×8øiÉnERôæ|+{U~²úL™@]šêŠ::™Ê{gHÉNFy÷Gžü¡„PbdIJ´Ž’®fÔ¤4û¬¨Yغæëü¤<Þ¡eG²úàؽÿ¯3´Žkº
UCۅˆ.СGτÿ'-õ.D€V6NÄ;ŒdRÖ.‡Åu}aÁŠQ%ã)nÃÎOžy¢ž—]ùZ(ßPÆãp{àÏ°eþ7jßÈ$ÇÃà&8ôO2¼­`
d·MIrL8kiÔfbC¢ç?ÈÈM²Áj§¶Oôó¥hÌùÈÎe·Ñ㞳°h×[‚F|ønÙ¥Ë(ÀÕ÷ìA)²I±êxe·FÑeµj50Œí-—Çç&7èbßAË1…3…Èuâj~wšÚ=o|F^£^›Z+á<8-Ü}´Ç+¢Xº;½ÏLïAžÚ·K̆H1óÏ΃¯eæ\yÙûß©9ë`€P‘§tê,,…áÃÁ—	Üëâè€W<_˜	’·£´DÓqv¹Lð7”'¨A«ö4¢ÁäßÌšàï,¿üÊ<IW¯R“ää 2’¦¤´nÒp
Ѓƥ¢|—bric‘‡Ðì%[ßïf¯jùÏ
ÃñÑ×`ÓÕzìtu	åí¤´¼ƒ%èïìµ0à¡åýP;2žý.]~ï‚Þ¶Jraœ‹”†>ZF
aBP2ð6eŽmۇ·þjOM(ÿêP‡|;Oh°}˜´‹qrŠšpca—°ïãçV8C%Qè/ÔÙþl¶Ì–/$i´^ˆ‹ç7ž—Íig”^ö`MDwϗt»Áv ðöÊ\­ÈR棏„E+Õ^ëê®‡W¦;>ŠB¡gx¿¡óuö7QD‹s3̹6¥›ü%„«k2ö5ć¦*~~­ts<ı=Œ€büÃRÌÎ'y¬Ë2ƚ=o¯UÏÄ®¯©uþHå¼Ä¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	Pd<¾‰±CëÁç¡Þ›8Á‹“'ö»¡‘yï¾à„/×ÃúküNõp§#g`Ýöh
3gïFþxR§3ÞúSȵ.ÙköóK=gDçx½›ìºià¸uá”1'&¸Ì ÌË2Ðé}î΢˜F‘ãSz÷¬‚VáÏo¢Ä¢]#²“ƒè=Qý¿šË°¾ÆØ{/!=âÝÍp½+f“¬ÆV3ÝöêPØæ0E“Y1$°ÕAü´,ӗæy…¢›tžQ Ÿp(Ó®„¦¸ÞêÓ²ÚÞ½ð.vD¡¤õW]sñ´ãf‘;P—né£>”gÀšp€`·bšLù#€˜ï/’`KQå¤àîS®ûVæ+;äíe†ƒF|¦Z„ä)*º³'þ¡A8Ãüœj5nëýŽ~Œ¥%Y®Ø9WÆ1â)¯þØ3Y¯žúÄPs’¶çX‚«únÕØѤSlÎÄ}ḏÝh²t\VWL{J…L”Ì·$‰Ø£u’Ù§Ò!½úˆ½}H)Ç([é*½>ÿéÝìnՖ-5•
è¬'–‚ã
ÜØ=Æ5Ø?±úûœ¯>DÍ>{¬è}Ùy2¼É²ë?Dèç_«šÙë¬Õ¸Ñ¹Ñ	È´‘¼¬¤ïØÉ)¯Î3YšþÌ­Dv&‚È•H;¼Y.º!pˆ£OäW´wh…-E¨aëâÓ£]Ó®Ô>abf:‚™ÊCrMå¿Ûôˆ=€ÝÍ?”¤òݼÓ1F¾ÿ³üÓ9TƒRýýø#!7»ßkJÇKOUï×<á͕ºI¤‰óßÕ?ª |úêSÛß7'¸¬kרҽVP²u=lDBì…X¢¼*ÜD7×Kyi;†òÓX*`Qè6짠[« …”FD¤Èr¡+3é3ü;znYÝÆöºÖP_¹ öùk¢Ì.gpŠŽ0ÇOrԊÓ¨³6(æ¿::ò·ÑÒ¯ý¥+Ôå‰(©1¢:åeiÈHŸØ³-o
u§¼îfȧÊlJd*
Á?	àÃ `#ùì6³r<hÔ̼ˠ+`³G0°®T96lûhˆkDÍ(
k4 |4¡+Ùêw¾oõ•ËÜ®…g©ÌQ×ÍñrŠâ«›Kâv­¤oëè|ºëÝÊZÓ¾mõkó6€›‚׿Å2[ÆbU%#“øÕ'|卣˜íšýw<øLèz:&§)ÒÙ27º:ºpˆqlÅ4\¢(énK á:ÿlÀ·¢¸.ŽTz	×>nH"š:¾NA ê_ȏ¤mçÛTŠÎîÇÝ
r+˜I8`@Á¯6êsI`ÃQšÅ8rڏöµâHû/>쏅FŒ=›çºÇš=‹š-“w»)ÊTÉíž2›˜VÔ¸Žî‡JÝq7@É6è"Üë{Ô·"a€
“ŠX±÷¤Ùýúò§€~Ê~k‡u?+ӏÕúnÒ€ð1šÖq+.±Â¹9TÞRÐQ0«<ïåwššƒôðs`]W wcDZôëqò‚‘Hðòœ=ghN]†~W9—qÓsÌæpÓÞëaéh3TAk
aNB’•ž¦·«£ï©˜¨bÉyAÖVÏ­[Žx—8SbqÓäì8ŠÁ«™¶ñ}
C{¨Pu 	E¹SIã‡B#
øð÷Ém7ìS—µ,™úÕÌN ä/*ûâï|u9QlH½oÜýlfúzGqu4µw	ŏøL9bQ°²
ËÌL‹t>g%©c“jÝKJ‰¾sÉ_€aÃc‹P}7Ê*V¾d:™ª Ò´À‘x¨½/X=wNg#ƒ3íøÛÝx¶	K‡ÓŽK‡ÓŽršEŒAò¼HóHÀ¨AP	P„KÆàfÏ*=‹ÕœgÂÎÉoŒo1À×SUd›C¡Ž¥Óe–⌜`Ͳ£˜ù6X?ÜÈçxL™;Kb ‹!m݁0éà/Ø`]h´2_Þmí7f­‡ºNiô1ÎA¡>œ“3‹qæ6Á^&¹‡~b6šä–iï˜Ô²—†ðÙ¯rq@EDü“U“¨ßژDîhDüaFÝgµ5l<ÐõÙO¡naF"Þ:".[o掺i›oznK§¯8°æp½1ëo|_ĉ„u ïªßLµÐ¸ø<¶’²¸¶Â¬ÀÇÈUó;¸*.ž<¢1á7Ãò9zZ¤­aÓ±¼õÌ9NS±åH·ç'䔧‹´Ž™£3v©	bKŽÃx"ô;²ïœ?)Ï•CpŽÅԹƐªpN±ü€tÙãÀ‹ÇŒ°	bÎÎ[-!$xØÅì¹û4vÎÓg]“6êX¦þßÕ%*H„Êø ”Ž‘U/atKÃ+ñ]yŸÜ®ÔYóE4¾ç“ö@*ºÒÄ~;êOz“j¨e†É€•Ãhœì3mÜ
ápYš”ð&d<+ÿcTÀ˜!SÄåÊé.LúC3ƒÒ ³ÍüàX_‡,ÈêGùÔã]ѩеo?ÃHáíRü1Rá6ùå¦-²m=ŽñÖé°5Õõ»¶vîs™tN°3

This file has been truncated. Go here to download in full.


suricata-report-2018-08-14-T-07-43-00-08142018.0742-zeus-sample-3.pcap.txt - (17771 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c3cd7e69e7134beb64e7df639ee2150e56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/08142018.0742-zeus-sample-3.pcap -vvv -k none
elapsedtime:36.146944
stderr:
stdout:
14/8/2018 -- 07:42:24 - <Info> - Configuration node 'rule-files' redefined.
14/8/2018 -- 07:42:24 - <Notice> - This is Suricata version 4.0.0 RELEASE
14/8/2018 -- 07:42:24 - <Info> - CPUs/cores online: 1
14/8/2018 -- 07:42:24 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32090 and 'request-body-inspect-window' set to 16939 after randomization.
14/8/2018 -- 07:42:24 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31480 and 'response-body-inspect-window' set to 15933 after randomization.
14/8/2018 -- 07:42:24 - <Config> - DNS request flood protection level: 500
14/8/2018 -- 07:42:24 - <Config> - DNS per flow memcap (state-memcap): 524288
14/8/2018 -- 07:42:24 - <Config> - DNS global memcap: 16777216
14/8/2018 -- 07:42:24 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
14/8/2018 -- 07:42:24 - <Config> - preallocated 1000 hosts of size 136
14/8/2018 -- 07:42:24 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
14/8/2018 -- 07:42:24 - <Config> - using magic-file /usr/share/file/magic
14/8/2018 -- 07:42:24 - <Config> - Core dump size is unlimited.
14/8/2018 -- 07:42:24 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
14/8/2018 -- 07:42:24 - <Config> - preallocated 1000 defrag trackers of size 168
14/8/2018 -- 07:42:24 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
14/8/2018 -- 07:42:24 - <Config> - stream "prealloc-sessions": 2048 (per thread)
14/8/2018 -- 07:42:24 - <Config> - stream "memcap": 33554432
14/8/2018 -- 07:42:24 - <Config> - stream "midstream" session pickups: disabled
14/8/2018 -- 07:42:24 - <Config> - stream "async-oneside": disabled
14/8/2018 -- 07:42:24 - <Config> - stream "checksum-validation": disabled
14/8/2018 -- 07:42:24 - <Config> - stream."inline": disabled
14/8/2018 -- 07:42:24 - <Config> - stream "bypass": disabled
14/8/2018 -- 07:42:24 - <Config> - stream "max-synack-queued": 5
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly "memcap": 134217728
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly "depth": 0
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly "toserver-chunk-size": 2595
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly "toclient-chunk-size": 2513
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly.raw: enabled
14/8/2018 -- 07:42:24 - <Config> - stream.reassembly "segment-prealloc": 2048
14/8/2018 -- 07:42:24 - <Config> - Delayed detect disabled
14/8/2018 -- 07:42:24 - <Config> - pattern matchers: MPM: ac, SPM: bm
14/8/2018 -- 07:42:24 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
14/8/2018 -- 07:42:24 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
14/8/2018 -- 07:42:24 - <Config> - prefilter engines: MPM
14/8/2018 -- 07:42:24 - <Config> - IP reputation disabled
14/8/2018 -- 07:42:24 - <Perf> - Registered 148 keyword profiling counters.
14/8/2018 -- 07:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
14/8/2018 -- 07:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
14/8/2018 -- 07:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
14/8/2018 -- 07:42:32 - <Config> - No rules loaded from ET-icmp.rules.
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
14/8/2018 -- 07:42:32 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
14/8/2018 -- 07:42:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
14/8/2018 -- 07:42:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
14/8/2018 -- 07:42:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
14/8/2018 -- 07:42:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
14/8/2018 -- 07:42:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
14/8/2018 -- 07:42:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
14/8/2018 -- 07:42:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
14/8/2018 -- 07:42:37 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
14/8/2018 -- 07:42:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
14/8/2018 -- 07:42:42 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
14/8/2018 -- 07:42:44 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
14/8/2018 -- 07:42:44 - <Config> - No rules loaded from local.rules.
14/8/2018 -- 07:42:44 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
14/8/2018 -- 07:42:44 - <Info> - Threshold config parsed: 0 rule(s) found
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tcp-packet
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tcp-stream
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for udp-packet
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for other-ip
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_uri
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_request_line
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_client_body
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_response_line
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_header
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_header
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_header_names
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_header_names
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_accept
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_accept_enc
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_accept_lang
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_referer
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_connection
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_content_len
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_content_len
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_content_type
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_content_type
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_protocol
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_protocol
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_start
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_start
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_raw_header
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_raw_header
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_method
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_cookie
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_cookie
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_raw_uri
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_user_agent
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_host
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_raw_host
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_stat_msg
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_stat_code
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for dns_query
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tls_sni
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tls_cert_issuer
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tls_cert_subject
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for tls_cert_serial
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for dce_stub_data
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for dce_stub_data
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for ssh_protocol
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for ssh_protocol
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for ssh_software
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for ssh_software
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for file_data
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for file_data
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_request_line
14/8/2018 -- 07:42:45 - <Perf> - using shared mpm ctx' for http_response_line
14/8/2018 -- 07:42:45 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
14/8/2018 -- 07:42:45 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
14/8/2018 -- 07:42:46 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
14/8/2018 -- 07:42:46 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
14/8/2018 -- 07:42:46 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
14/8/2018 -- 07:42:46 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
14/8/2018 -- 07:42:46 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
14/8/2018 -- 07:42:46 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
14/8/2018 -- 07:42:55 - <Perf> - Unique rule groups: 104
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toserver TCP packet": 35
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toclient TCP packet": 17
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toserver TCP stream": 33
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toclient TCP stream": 19
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toserver UDP packet": 27
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "toclient UDP packet": 17
14/8/2018 -- 07:42:55 - <Perf> - Builtin MPM "other IP packet": 3
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_uri": 14
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_request_line": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_client_body": 6
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_response_line": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_header": 10
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_header": 6
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_header_names": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_accept": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_referer": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_content_len": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_content_type": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_content_type": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_protocol": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_start": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_method": 5
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_cookie": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_cookie": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver http_host": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver dns_query": 4
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver tls_sni": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toserver file_data": 1
14/8/2018 -- 07:42:55 - <Perf> - AppLayer MPM "toclient file_data": 7
14/8/2018 -- 07:42:58 - <Perf> - Registered 39590 rule profiling counters.
14/8/2018 -- 07:42:58 - <Info> - fast output device (regular) initialized: alert
14/8/2018 -- 07:42:58 - <Info> - eve-log output device (regular) initialized: eve.json
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'alert'
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'http'
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'dns'
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'tls'
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'files'
14/8/2018 -- 07:42:58 - <Config> - enabling 'eve-log' module 'ssh'
14/8/2018 -- 07:42:58 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
14/8/2018 -- 07:42:58 - <Info> - stats output device (regular) initialized: stats.log
14/8/2018 -- 07:42:58 - <Config> - AutoFP mode using "Hash" flow load balancer
14/8/2018 -- 07:42:58 - <Info> - reading pcap file /var/pcap/08142018.0742-zeus-sample-3.pcap
14/8/2018 -- 07:42:58 - <Config> - using 1 flow manager threads
14/8/2018 -- 07:42:

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2018-08-14-T-07-43-00-08142018.0742-zeus-sample-3.pcap.txt - (51286 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 8/14/2018 -- 07:43:00. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2003657      1        18       6986664      4.14   7        0        6853314     998094.86   0.00        998094.86  
  2        2820158      1        2        28096406     16.66  150      0        787253      187309.37   0.00        187309.37  
  3        2820157      1        2        28435239     16.86  150      0        767706      189568.26   0.00        189568.26  
  4        2819664      1        2        5768406      3.42   27       0        355131      213644.67   0.00        213644.67  
  5        2819930      1        2        5232558      3.10   27       0        343875      193798.44   0.00        193798.44  
  6        2020865      1        3        3479826      2.06   18       0        328629      193323.67   0.00        193323.67  
  7        2016855      1        2        327870       0.19   1        0        327870      327870.00   0.00        327870.00  
  8        2016854      1        3        236130       0.14   1        0        236130      236130.00   0.00        236130.00  
  9        2803027      1        6        431591       0.26   5        0        229304      86318.20    0.00        86318.20   
  10       2016537      1        2        6761956      4.01   404      0        204723      16737.51    0.00        16737.51   
  11       2013441      1        9        261573       0.16   3        0        201324      87191.00    0.00        87191.00   
  12       2802987      1        5        648947       0.38   9        0        197732      72105.22    0.00        72105.22   
  13       2803657      1        5        250712       0.15   2        0        189827      125356.00   0.00        125356.00  
  14       2022797      1        2        184329       0.11   1        0        184329      184329.00   0.00        184329.00  
  15       2018121      1        4        223398       0.13   2        0        181110      111699.00   0.00        111699.00  
  16       2022896      1        5        239913       0.14   2        0        178224      119956.50   0.00        119956.50  
  17       2809747      1        2        172407       0.10   1        0        172407      172407.00   0.00        172407.00  
  18       2815325      1        3        412053       0.24   7        0        169377      58864.71    0.00        58864.71   
  19       2804911      1        3        246996       0.15   3        0        162051      82332.00    0.00        82332.00   
  20       2023547      1        3        556398       0.33   5        0        156684      111279.60   0.00        111279.60  
  21       2804906      1        3        204984       0.12   2        0        153990      102492.00   0.00        102492.00  
  22       2019715      1        2        149514       0.09   1        0        149514      149514.00   0.00        149514.00  
  23       2801930      1        7        283242       0.17   4        0        149298      70810.50    0.00        70810.50   
  24       2018052      1        7        148626       0.09   1        1        148626      148626.00   148626.00   0.00       
  25       2809859      1        6        359700       0.21   7        0        147138      51385.71    0.00        51385.71   
  26       2022270      1        2        180423       0.11   2        0        133584      90211.50    0.00        90211.50   
  27       2801929      1        7        305442       0.18   4        0        132168      76360.50    0.00        76360.50   
  28       2008575      1        5        4699847      2.79   466      0        121023      10085.51    0.00        10085.51   
  29       2025064      1        5        416151       0.25   7        0        120375      59450.14    0.00        59450.14   
  30       2018958      1        18       390963       0.23   7        0        119751      55851.86    0.00        55851.86   
  31       2018403      1        10       212454       0.13   2        2        118482      106227.00   106227.00   0.00       
  32       2807881      1        2        151563       0.09   2        0        114789      75781.50    0.00        75781.50   
  33       2016809      1        5        182205       0.11   4        0        114078      45551.25    0.00        45551.25   
  34       2018254      1        4        139335       0.08   2        0        111153      69667.50    0.00        69667.50   
  35       2804927      1        2        230562       0.14   4        0        108243      57640.50    0.00        57640.50   
  36       2019714      1        10       185610       0.11   2        2        107418      92805.00    92805.00    0.00       
  37       2009897      1        14       181266       0.11   3        0        106932      60422.00    0.00        60422.00   
  38       2019141      1        3        360759       0.21   4        4        104865      90189.75    90189.75    0.00       
  39       2012612      1        16       254010       0.15   7        0        104064      36287.14    0.00        36287.14   
  40       2816356      1        2        434682       0.26   7        0        103668      62097.43    0.00        62097.43   
  41       2018358      1        7        601560       0.36   7        0        101916      85937.14    0.00        85937.14   
  42       2021413      1        2        239769       0.14   4        0        101871      59942.25    0.00        59942.25   
  43       2022502      1        4        483378       0.29   7        0        97515       69054.00    0.00        69054.00   
  44       2816327      1        4        372153       0.22   7        0        97122       53164.71    0.00        53164.71   
  45       2816940      1        2        454173       0.27   7        0        96540       64881.86    0.00        64881.86   
  46       2019094      1        5        265701       0.16   4        0        95169       66425.25    0.00        66425.25   
  47       2816925      1        3        342774       0.20   7        0        95166       48967.71    0.00        48967.71   
  48       2820851      1        5        394716       0.23   7        0        91071       56388.00    0.00        56388.00   
  49       2024771      1        1        4271644      2.53   654      0        90426       6531.57     0.00        6531.57    
  50       2017552      1        6        6661449      3.95   411      0        90363       16207.91    0.00        16207.91   
  51       2016394      1        6        899160       0.53   34       0        90300       26445.88    0.00        26445.88   
  52       2020941      1        2        114039       0.07   2        0        89943       57019.50    0.00        57019.50   
  53       2018241      1        2        143361       0.08   2        0        88773       71680.50    0.00        71680.50   
  54       2016578      1        5        115014       0.07   2        0        87609       57507.00    0.00        57507.00   
  55       2816909      1        2        472374       0.28   7        0        87057       67482.00    0.00        67482.00   
  56       2823584      1        2        299514       0.18   13       0        86832       23039.54    0.00        23039.54   
  57       2017836      1        4        85242        0.05   1        1        85242       85242.00    85242.00    0.00       
  58       2815254      1        7        279153       0.17   4        0        85203       69788.25    0.00        69788.25   
  59       2024650      1        1        2410651      1.43   163      0        84390       14789.27    0.00        14789.27   
  60       2820117      1        2        83880        0.05   1        0        83880       83880.00    0.00        83880.00   
  61       2828877      1        1        1280688      0.76   399      0        83772       3209.74     0.00        3209.74    
  62       2016858      1        10       389544       0.23   7        4        83772       55649.14    73764.75    31495.00   
  63       2020991      1        2        131022       0.08   2        0        83163       65511.00    0.00        65511.00   
  64       2816910      1        2        456948       0.27   7        0        82251       65278.29    0.00        65278.29   
  65       2018452      1        15       315810       0.19   7        0        81870       45115.71    0.00        45115.71   
  66       2013352      1        4        131325       0.08   2        0        80739       65662.50    0.00        65662.50   
  67       2804907      1        3        207486       0.12   7        0        79899       29640.86    0.00        29640.86   
  68       2018959      1        3        150528       0.09   2        2        78924       75264.00    75264.00    0.00       
  69       2013076      1        9        151461       0.09   3        0        78915       50487.00    0.00        50487.00   
  70       2021418      1        9        231795       0.14   4        0        78147       57948.75    0.00        57948.75   
  71       2023316      1        2        85095        0.05   3        0        78015       28365.00    0.00        28365.00   
  72       2822847      1        6        340902       0.20   5        0        77346       68180.40    0.00        68180.40   
  73       2816526      1        13       297396       0.18   7        0        77226       42485.14    0.00        42485.14   
  74       2022901      1        2        259095       0.15   4        0        75867       64773.75    0.00        64773.75   
  75       2016097      1        4        124680       0.07   2        0        75450       62340.00    0.00        62340.00   
  76       2821641      1        2        327408       0.19   7        0        74961       46772.57    0.00        46772.57   
  77       2800881      1        3        74955        0.04   1        0        74955       74955.00    0.00        74955.00   
  78       2017190      1        6        96966        0.06   2        0        74853       48483.00    0.00        48483.00   
  79       2014471      1        6        132552       0.08   2        0        74850       66276.00    0.00        66276.00   
  80       2828748      1        2        1263960      0.75   399      0        74571       3167.82     0.00        3167.82    
  81       2821644      1        4        284298       0.17   7        0        73926       40614.00    0.00        40614.00   
  82       2828008      1        2        204540       0.12   7        0        73392       29220.00    0.00        29220.00   
  83       2816929      1        4        319296       0.19   7        0        72282       45613.71    0.00        45613.71   
  84       2022609      1        2        343602       0.20   7        0        71721       49086.00    0.00        49086.00   
  85       2014819      1        3        70929        0.04   1        0        70929       70929.00    0.00        70929.00   
  86       2015744      1        4        70104        0.04   1        1        70104       70104.00    70104.00    0.00       
  87       2022050      1        3        160815       0.10   3        0        69126       53605.00    0.00        53605.00   
  88       2016141      1        5        115806       0.07   2        0        68169       57903.00    0.00        57903.00   
  89       2821471      1        2        213024       0.13   4        0        68166       53256.00    0.00        53256.00   
  90       2017613      1        9        273192       0.16   7        0        68067       39027.43    0.00        39027.43   
  91       2819673      1        4        278361       0.17   7        0        66924       39765.86    0.00        39765.86   
  92       2020826      1        7        116766       0.07   2        0        66909       58383.00    0.00        58383.00   
  93       2815817      1        5        309300       0.18   7        0        66843       44185.71    0.00        44185.71   
  94       2009909      1        10       133584       0.08   3        0        65259       44528.00    0.00        44528.00   
  95       2021245      1        6        103251       0.06   2        0        65049       51625.50    0.00        51625.50   
  96       2812484      1        2        485175       0.29   34       0        64980       14269.85    0.00        14269.85   
  97       2806189      1        4        86184        0.05   2        0        64860       43092.00    0.00        43092.00   
  98       2827580      1        7        133446       0.08   4        0        64797       33361.50    0.00        33361.50   
  99       2807970      1        8        207669       0.12   4        0        64197       51917.25    0.00        51917.25   
  100      2022658      1        4        113589       0.07   2        0        63189       56794.50    0.00        56794.50   
  101      2816930      1        4        280755       0.17   7        0        63018       40107.86    0.00        40107.86   
  102      2815440      1        3        338046       0.20   7        0        62586       48292.29    0.00        48292.29   
  103      2809363      1        3        203682       0.12   4        0        62292       50920.50    0.00        50920.50   
  104      2024178      1        2        205548       0.12   7        0        61827       29364.00    0.00        29364.00   
  105      2820855      1        3        175992       0.10   7        0        61212       25141.71    0.00        25141.71   
  106      2828060      1        4        167466       0.10   4        0        60465       41866.50    0.00        41866.50   
  107      2022830      1        2        111720       0.07   2        0        60459       55860.00    0.00        55860.00   
  108      2828036      1        1        534204       0.32   23       0        59757       23226.26    0.00        23226.26   
  109      2811658      1        2        255258       0.15   13       0        59199       19635.23    0.00        19635.23   
  110      2022552      1        2        465954       0.28   18       0        58782       25886.33    0.00        25886.33   
  111      2019344      1        5        264114       0.16   7        0        58776       37730.57    0.00        37730.57   
  112      2018981      1        4        242298       0.14   7        0        58569       34614.00    0.00        34614.00   
  113      2816525      1        10       308001       0.18   7        0        58455       44000.14    0.00        44000.14   
  114      2022550      1        16       108882       0.06   2        0        58323       54441.00    0.00        54441.00   
  115      2018982      1        2        149427       0.09   3        0        57558       49809.00    0.00        49809.00   
  116      2805985      1        2        153348       0.09   3        0        57114       51116.00    0.00        51116.00   
  117      2011588      1        22       138744       0.08   3        0        57105       46248.00    0.00        46248.00   
  118      2020181      1        8        185394       0.11   4        0        56703       46348.50    0.00        46348.50   
  119      2018752      1        10       56469        0.03   1        0        56469       56469.00    0.00        56469.00   
  120      2021607      1        6        85335        0.05   2        0        56328       42667.50    0.00        42667.50   
  121      2020569      1        1        146931       0.09   3        0        56262       48977.00    0.00        48977.00   
  122      2014473      1        5        1084551      0.64   66       0        55836       16432.59    0.00        16432.59   
  123      2809753      1        2        95607        0.06   2        0        55731       47803.50    0.00        47803.50   
  124      2808234      1        1        144846       0.09   3        0        55362       48282.00    0.00        48282.00   
  125      2807400      1        3        1

This file has been truncated. Go here to download in full.


stats.log - (2463 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
------------------------------------------------------------------------------------
Date: 8/14/2018 -- 07:43:00 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 1105
decoder.bytes                              | Total                     | 970039
decoder.ipv4                               | Total                     | 1105
decoder.ethernet                           | Total                     | 1105
decoder.tcp                                | Total                     | 1105
decoder.avg_pkt_size                       | Total                     | 877
decoder.max_pkt_size                       | Total                     | 1434
flow.tcp                                   | Total                     | 5
tcp.sessions                               | Total                     | 5
tcp.syn                                    | Total                     | 5
tcp.synack                                 | Total                     | 5
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 17
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 5
app_layer.tx.http                          | Total                     | 7
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 3
flow_mgr.flows_notimeout                   | Total                     | 3
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65533
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075168


eve.json - (16608 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{"timestamp":"2010-02-26T13:58:07.010545+0000","flow_id":387461136968044,"pcap_cnt":8,"event_type":"alert","src_ip":"192.168.3.65","src_port":1032,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2017836,"rev":4,"signature":"ET TROJAN Possible Zbot Activity Common Download Struct","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:07.010545+0000","flow_id":387461136968044,"pcap_cnt":8,"event_type":"alert","src_ip":"192.168.3.65","src_port":1032,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018052,"rev":7,"signature":"ET CURRENT_EVENTS Zbot Generic URI\/Header Struct .bin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2010-02-26T13:58:17.044541+0000","flow_id":387461136968044,"pcap_cnt":230,"event_type":"http","src_ip":"192.168.3.65","src_port":1032,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/kartos.bin","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2010-02-26T13:58:17.155003+0000","flow_id":387461136968044,"pcap_cnt":232,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1032,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/kartos.bin","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":185133},"app_proto":"http","fileinfo":{"filename":"\/kartos\/kartos.bin","gaps":false,"state":"CLOSED","stored":false,"size":185133,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:37.159880+0000","flow_id":980192395540390,"pcap_cnt":245,"event_type":"alert","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016858,"rev":10,"signature":"ET TROJAN Generic - POST To .php w\/Extended ASCII Characters (Likely Zeus Derivative)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:37.159880+0000","flow_id":980192395540390,"pcap_cnt":245,"event_type":"alert","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019141,"rev":3,"signature":"ET TROJAN Zbot POST Request to C2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2010-02-26T13:58:37.159880+0000","flow_id":980192395540390,"pcap_cnt":245,"event_type":"http","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html"}}
{"timestamp":"2010-02-26T13:58:37.159880+0000","flow_id":980192395540390,"pcap_cnt":245,"event_type":"fileinfo","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":53},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":355,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:37.333324+0000","flow_id":454234995439133,"pcap_cnt":247,"event_type":"alert","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016858,"rev":10,"signature":"ET TROJAN Generic - POST To .php w\/Extended ASCII Characters (Likely Zeus Derivative)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:37.333324+0000","flow_id":454234995439133,"pcap_cnt":247,"event_type":"alert","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019141,"rev":3,"signature":"ET TROJAN Zbot POST Request to C2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2010-02-26T13:58:37.333324+0000","flow_id":454234995439133,"pcap_cnt":247,"event_type":"http","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html"}}
{"timestamp":"2010-02-26T13:58:37.333324+0000","flow_id":454234995439133,"pcap_cnt":247,"event_type":"fileinfo","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":169},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":271,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:37.437885+0000","flow_id":454234995439133,"pcap_cnt":248,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1033,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":169},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":169,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:37.439179+0000","flow_id":454234995439133,"pcap_cnt":251,"event_type":"alert","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018403,"rev":10,"signature":"ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:37.439179+0000","flow_id":454234995439133,"pcap_cnt":251,"event_type":"alert","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019714,"rev":10,"signature":"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2010-02-26T13:58:38.553613+0000","flow_id":454234995439133,"pcap_cnt":294,"event_type":"alert","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1033,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:38.553613+0000","flow_id":454234995439133,"pcap_cnt":294,"event_type":"alert","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1033,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2015744,"rev":4,"signature":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","category":"Misc activity","severity":3}}
{"timestamp":"2010-02-26T13:58:40.189054+0000","flow_id":454234995439133,"pcap_cnt":383,"event_type":"http","src_ip":"192.168.3.65","src_port":1033,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/krt.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2010-02-26T13:58:40.293200+0000","flow_id":454234995439133,"pcap_cnt":385,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1033,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/krt.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/x-msdownload","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119296},"app_proto":"http","fileinfo":{"filename":"\/kartos\/krt.exe","gaps":false,"state":"CLOSED","stored":false,"size":119296,"tx_id":1}}
{"timestamp":"2010-02-26T13:58:40.734915+0000","flow_id":980192395540390,"pcap_cnt":387,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1034,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":53},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":44,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:40.816152+0000","flow_id":980192395540390,"pcap_cnt":390,"event_type":"alert","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016858,"rev":10,"signature":"ET TROJAN Generic - POST To .php w\/Extended ASCII Characters (Likely Zeus Derivative)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:40.816152+0000","flow_id":980192395540390,"pcap_cnt":390,"event_type":"alert","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2019141,"rev":3,"signature":"ET TROJAN Zbot POST Request to C2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2010-02-26T13:58:40.816152+0000","flow_id":980192395540390,"pcap_cnt":390,"event_type":"http","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html"}}
{"timestamp":"2010-02-26T13:58:40.816152+0000","flow_id":980192395540390,"pcap_cnt":390,"event_type":"fileinfo","src_ip":"192.168.3.65","src_port":1034,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":53},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":169,"tx_id":1}}
{"timestamp":"2010-02-26T13:58:41.765028+0000","flow_id":788503710495940,"pcap_cnt":398,"event_type":"alert","src_ip":"192.168.3.65","src_port":1035,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018403,"rev":10,"signature":"ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:41.765028+0000","flow_id":788503710495940,"pcap_cnt":398,"event_type":"alert","src_ip":"192.168.3.65","src_port":1035,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019714,"rev":10,"signature":"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2010-02-26T13:58:43.097366+0000","flow_id":788503710495940,"pcap_cnt":438,"event_type":"alert","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1035,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:45.818246+0000","flow_id":980192395540390,"pcap_cnt":508,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1034,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":53},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":44,"tx_id":1}}
{"timestamp":"2010-02-26T13:58:57.044468+0000","flow_id":788503710495940,"pcap_cnt":1092,"event_type":"http","src_ip":"192.168.3.65","src_port":1035,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.hostme.name","url":"\/ser.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/x-msdownload"}}
{"timestamp":"2010-02-26T13:58:57.145090+0000","flow_id":788503710495940,"pcap_cnt":1094,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1035,"proto":"TCP","http":{"hostname":"www.hostme.name","url":"\/ser.exe","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"application\/x-msdownload","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":593507},"app_proto":"http","fileinfo":{"filename":"\/ser.exe","gaps":false,"state":"CLOSED","stored":false,"size":593507,"tx_id":0}}
{"timestamp":"2010-02-26T13:58:57.960729+0000","flow_id":1656331918503794,"pcap_cnt":1103,"event_type":"alert","src_ip":"192.168.3.65","src_port":1036,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016858,"rev":10,"signature":"ET TROJAN Generic - POST To .php w\/Extended ASCII Characters (Likely Zeus Derivative)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2010-02-26T13:58:57.960729+0000","flow_id":1656331918503794,"pcap_cnt":1103,"event_type":"alert","src_ip":"192.168.3.65","src_port":1036,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019141,"rev":3,"signature":"ET TROJAN Zbot POST Request to C2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2010-02-26T13:58:57.960729+0000","flow_id":1656331918503794,"pcap_cnt":1103,"event_type":"http","src_ip":"192.168.3.65","src_port":1036,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html"}}
{"timestamp":"2010-02-26T13:58:57.960729+0000","flow_id":1656331918503794,"pcap_cnt":1103,"event_type":"fileinfo","src_ip":"192.168.3.65","src_port":1036,"dest_ip":"188.72.243.72","dest_port":80,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":53},"app_proto":"http","fileinfo":{"filename":"\/kartos\/youyou.php","gaps":false,"state":"CLOSED","stored":false,"size":169,"tx_id":0}}
{"timestamp":"2010-02-26T13:59:02.960450+0000","flow_id":1656331918503794,"pcap_cnt":1104,"event_type":"fileinfo","src_ip":"188.72.243.72","src_port":80,"dest_ip":"192.168.3.65","dest_port":1036,"proto":"TCP","http":{"hostname":"ishi-bati.com","url":"\/kartos\/youyou.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)","http_conte

This file has been truncated. Go here to download in full.


keyword_perf.log - (16702 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 8/14/2018 -- 07:43:00
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             11276168        3193            3193            89814           3531.00         3531.00         0.00           
  content          70392153        2766            1175            391071          25449.00        13547.00        34239.00       
  pcre             2938911         329             88              64305           8932.00         10839.00        8236.00        
  byte_test        212689          26              8               54237           8180.00         14275.00        5471.00        
  byte_jump        172075          46              40              17490           3740.00         3867.00         2898.00        
  isdataat         3288            1               1               3288            3288.00         3288.00         0.00           
  flowbits         3154542         913             30              34212           3455.00         5436.00         3387.00        
  urilen           818058          209             51              39090           3914.00         3577.00         4022.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             11276168        3193            3193            89814           3531.00         3531.00         0.00           
  flowbits         3092231         909             26              34212           3401.00         3876.00         3387.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4848682         387             129             144426          12528.00        11217.00        13184.00       
  pcre             16533           2               2               10449           8266.00         8266.00         0.00           
  byte_test        212689          26              8               54237           8180.00         14275.00        5471.00        
  byte_jump        131652          34              28              17490           3872.00         4080.00         2898.00        
  isdataat         3288            1               1               3288            3288.00         3288.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         62311           4               4               26097           15577.00        15577.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1320630         268             165             85008           4927.00         5265.00         4386.00        
  pcre             1412151         129             38              54393           10946.00        11531.00        10702.00       
  urilen           818058          209             51              39090           3914.00         3577.00         4022.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_request_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          16566           4               4               5508            4141.00         4141.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          49524           12              0               6669            4127.00         0.00            4127.00        
  pcre             33930           4               4               19005           8482.00         8482.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          23868           7               0               4224            3409.00         0.00            3409.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          59765031        1106            146             391071          54037.00        70350.00        51556.00       
  pcre             535428          98              0               37005           5463.00         0.00            5463.00        
  byte_jump        40423           12              12              5156            3368.00         3368.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2619459         572             447             42303           4579.00         4586.00         4555.00        
  pcre             694926          69              30              64305           10071.00        12477.00        8220.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          393510          85              59              38733           4629.00         4947.00         3908.00        
  pcre             27774           4               0               13131           6943.00         0.00            6943.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             32733           4               0               18258           8183.00         0.00            8183.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7143            2               2               3846            3571.00         3571.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27153           8               8               3477            3394.00         3394.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9341            2               0               4952            4670.00         0.00            4670.00        
  pcre             50007           2               0               41799           25003.00        0.00            25003.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          409404          91              75              34287           4498.00         4268.00         5577.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          753645          186             116             36495           4051.00         4396.00         3481.00        
  pcre             90882           14              14              11436           6491.00         6491.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          96327           21              19              27291           4587.00         4663.00         3864.00        
  pcre             44547           3               0               21861           14849.00        0.00            14849.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6603            2               0               3354            3301.00         0.00            3301.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks 

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1153 bytes) - download
1
2
3
4
5
6
7
8
2018-08-14 07:42:23,091 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-08-14 07:42:24,284 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-08-14 07:42:24,284 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-08-14 07:42:24,285 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-08-14 07:42:24,285 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-08-14 07:42:24,285 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c3cd7e69e7134beb64e7df639ee2150e56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/08142018.0742-zeus-sample-3.pcap -vvv -k none
2018-08-14 07:43:00,446 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-08-14 07:43:00,447 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 37.3706171513