1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | --------------------------------------------------------------------------
Date: 12/11/2019 -- 17:35:18. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2828748 1 2 928772 7.45 8 0 871480 116096.50 0.00 116096.50
2 2100540 1 12 843794 6.77 2 0 837130 421897.00 0.00 421897.00
3 2805348 1 4 1791718 14.38 15 0 511634 119447.87 0.00 119447.87
4 2828876 1 1 474138 3.80 11 0 420964 43103.45 0.00 43103.45
5 2822691 1 1 95520 0.77 2 0 64148 47760.00 0.00 47760.00
6 2102123 1 7 53944 0.43 1 0 53944 53944.00 0.00 53944.00
7 2010140 1 7 603612 4.84 95 0 50804 6353.81 0.00 6353.81
8 2811544 1 1 118444 0.95 5 0 50630 23688.80 0.00 23688.80
9 2014701 1 12 139386 1.12 6 0 48796 23231.00 0.00 23231.00
10 2009702 1 5 136116 1.09 6 0 45450 22686.00 0.00 22686.00
11 2019230 1 2 111304 0.89 5 0 42120 22260.80 0.00 22260.80
12 2012932 1 8 41352 0.33 1 0 41352 41352.00 0.00 41352.00
13 2022543 1 1 101712 0.82 3 0 39708 33904.00 0.00 33904.00
14 2020326 1 4 39500 0.32 1 0 39500 39500.00 0.00 39500.00
15 2023623 1 3 192868 1.55 34 0 37292 5672.59 0.00 5672.59
16 2803760 1 3 90066 0.72 3 0 37064 30022.00 0.00 30022.00
17 2826281 1 2 89904 0.72 3 0 36148 29968.00 0.00 29968.00
18 2807573 1 3 53400 0.43 2 0 34972 26700.00 0.00 26700.00
19 2010143 1 3 514966 4.13 95 0 34220 5420.69 0.00 5420.69
20 2811577 1 2 102728 0.82 5 0 33738 20545.60 0.00 20545.60
21 2014703 1 9 102638 0.82 6 0 33542 17106.33 0.00 17106.33
22 2811542 1 1 96734 0.78 4 0 33426 24183.50 0.00 24183.50
23 2816499 1 1 50432 0.40 2 0 32994 25216.00 0.00 25216.00
24 2023622 1 3 359622 2.89 69 0 32812 5211.91 0.00 5211.91
25 2014702 1 9 103018 0.83 6 0 32484 17169.67 0.00 17169.67
26 2008120 1 4 508610 4.08 98 0 29746 5189.90 0.00 5189.90
27 2008116 1 4 202508 1.62 31 0 27606 6532.52 0.00 6532.52
28 2013739 1 15 483972 3.88 92 0 23738 5260.57 0.00 5260.57
29 2023627 1 3 275976 2.21 54 0 16672 5110.67 0.00 5110.67
30 2023626 1 3 343152 2.75 70 0 9744 4902.17 0.00 4902.17
31 2002992 1 7 8944 0.07 1 0 8944 8944.00 0.00 8944.00
32 2100518 1 8 162646 1.30 31 0 8890 5246.65 0.00 5246.65
33 2008118 1 3 150180 1.20 30 0 8446 5006.00 0.00 5006.00
34 2025200 1 1 37704 0.30 6 0 8314 6284.00 0.00 6284.00
35 2101936 1 9 8312 0.07 1 0 8312 8312.00 0.00 8312.00
36 2009243 1 2 149248 1.20 30 0 8076 4974.93 0.00 4974.93
37 2010939 1 3 7916 0.06 1 0 7916 7916.00 0.00 7916.00
38 2013506 1 1 7884 0.06 1 0 7884 7884.00 0.00 7884.00
39 2019017 1 3 101912 0.82 19 0 7850 5363.79 0.00 5363.79
40 2802823 1 1 19284 0.15 3 0 7800 6428.00 0.00 6428.00
41 2823788 1 4 18884 0.15 3 0 7784 6294.67 0.00 6294.67
42 2802205 1 3 159138 1.28 31 0 7780 5133.48 0.00 5133.48
43 2002910 1 6 7730 0.06 1 0 7730 7730.00 0.00 7730.00
44 2806561 1 5 7704 0.06 1 0 7704 7704.00 0.00 7704.00
45 2001219 1 20 7632 0.06 1 0 7632 7632.00 0.00 7632.00
46 2008117 1 3 147534 1.18 29 0 7624 5087.38 0.00 5087.38
47 2008119 1 3 19960 0.16 3 0 7348 6653.33 0.00 6653.33
48 2023624 1 3 319198 2.56 67 0 7322 4764.15 0.00 4764.15
49 2019010 1 3 102256 0.82 19 0 7286 5381.89 0.00 5381.89
50 2025427 1 1 7204 0.06 1 0 7204 7204.00 0.00 7204.00
51 2019016 1 3 146926 1.18 29 0 7200 5066.41 0.00 5066.41
52 2010938 1 3 7168 0.06 1 0 7168 7168.00 0.00 7168.00
53 2001582 1 15 7168 0.06 1 0 7168 7168.00 0.00 7168.00
54 2100654 1 17 7150 0.06 1 0 7150 7150.00 0.00 7150.00
55 2822838 1 2 171918 1.38 36 0 7134 4775.50 0.00 4775.50
56 2010142 1 4 447830 3.59 95 0 7130 4714.00 0.00 4714.00
57 2002911 1 6 7016 0.06 1 0 7016 7016.00 0.00 7016.00
58 2003068 1 7 7000 0.06 1 0 7000 7000.00 0.00 7000.00
59 2802822 1 1 145668 1.17 29 0 6994 5023.03 0.00 5023.03
60 2001580 1 15 6966 0.06 1 0 6966 6966.00 0.00 6966.00
61 2019011 1 3 150580 1.21 29 0 6940 5192.41 0.00 5192.41
62 2102523 1 8 12330 0.10 2 0 6874 6165.00 0.00 6165.00
63 2023625 1 3 241518 1.94 51 0 6862 4735.65 0.00 4735.65
64 2013075 1 8 16062 0.13 3 0 6842 5354.00 0.00 5354.00
65 2002995 1 10 6816 0.05 1 0 6816 6816.00 0.00 6816.00
66 2023614 1 3 16906 0.14 3 0 6798 5635.33 0.00 5635.33
67 2102523 1 8 12846 0.10 2 0 6780 6423.00 0.00 6423.00
68 2019012 1 3 12052 0.10 2 0 6726 6026.00 0.00 6026.00
69 2002993 1 7 6698 0.05 1 0 6698 6698.00 0.00 6698.00
70 2023616 1 3 11246 0.09 2 0 6692 5623.00 0.00 5623.00
71 2023619 1 3 66736 0.54 14 0 6670 4766.86 0.00 4766.86
72 2100540 1 12 12702 0.10 2 0 6576 6351.00 0.00 6351.00
73 2007917 1 4 6460 0.05 1 0 6460 6460.00 0.00 6460.00
74 2025401 1 2 16058 0.13 3 0 6358 5352.67 0.00 5352.67
75 2810805 1 5 10878 0.09 2 0 6198 5439.00 0.00 5439.00
76 2002994 1 7 6164 0.05 1 0 6164 6164.00 0.00 6164.00
77 2019019 1 3 11048 0.09 2 0 6140 5524.00 0.00 5524.00
78 2023612 1 4 84602 0.68 17 0 6122 4976.59 0.00 4976.59
79 2101634 1 15 6042 0.05 1 0 6042 6042.00 0.00 6042.00
80 2828877 1 1 39244 0.31 8 0 5980 4905.50 0.00 4905.50
81 2810792 1 5 5964 0.05 1 0 5964 5964.00 0.00 5964.00
82 2102330 1 3 5794 0.05 1 0 5794 5794.00 0.00 5794.00
83 2811176 1 6 5760 0.05 1 0 5760 5760.00 0.00 5760.00
84 2023617 1 3 66936 0.54 14 0 5674 4781.14 0.00 4781.14
85 2808496 1 1 5614 0.05 1 0 5614 5614.00 0.00 5614.00
86 2002981 1 4 5544 0.04 1 0 5544 5544.00 0.00 5544.00
87 2002087 1 10 5482 0.04 1 0 5482 5482.00 0.00 5482.00
88 2002023 1 16 5468 0.04 1 0 5468 5468.00 0.00 5468.00
89 2101972 1 18 5464 0.04 1 0 5464 5464.00 0.00 5464.00
90 2816920 1 1 5456 0.04 1 0 5456 5456.00 0.00 5456.00
91 2008953 1 9 5422 0.04 1 0 5422 5422.00 0.00 5422.00
92 2011487 1 2 10710 0.09 2 0 5414 5355.00 0.00 5355.00
93 2814488 1 1 5340 0.04 1 0 5340 5340.00 0.00 5340.00
94 2000328 1 12 5260 0.04 1 0 5260 5260.00 0.00 5260.00
95 2010642 1 3 10460 0.08 2 0 5246 5230.00 0.00 5230.00
96 2016179 1 2 5244 0.04 1 0 5244 5244.00 0.00 5244.00
97 2101734 1 36 5234 0.04 1 0 5234 5234.00 0.00 5234.00
98 2021050 1 1 5214 0.04 1 0 5214 5214.00 0.00 5214.00
99 2019020 1 3 10144 0.08 2 0 5208 5072.00 0.00 5072.00
100 2016178 1 2 5182 0.04 1 0 5182 5182.00 0.00 5182.00
101 2016181 1 2 5124 0.04 1 0 5124 5124.00 0.00 5124.00
102 2102257 1 10 4964 0.04 1 0 4964 4964.00 0.00 4964.00
103 2019014 1 4 9878 0.08 2 0 4948 4939.00 0.00 4939.00
104 2801347 1 5 32310 0.26 7 0 4940 4615.71 0.00 4615.71
105 2023621 1 4 13472 0.11 3 0 4528 4490.67 0.00 4490.67
106 2810802 1 5 4494 0.04 1 0 4494 4494.00 0.00 4494.00
107 2100474 1 5 4490 0.04 1 0 4490 4490.00 0.00 4490.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 2 1 8434996 8434996 8434996 8.4m 0.09
IPv4 6 28 48560564 75159784 64044036 1.8b 18.26
IPv4 17 43 8188374 97651826 47078667 2.0b 20.61
IPv6 17 55 7665614 98428852 81752949 4.5b 45.79
IPv6 58 19 8680908 92386714 78843537 1.5b 15.25
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 2 1 148986 148986 148986 149.0k 0.15
TMM_FLOWWORKER IPv4 6 28 156210 1713594 694374 19.4m 20.00
TMM_FLOWWORKER IPv4 17 43 251140 27097134 1327015 57.1m 58.71
TMM_RECEIVEPCAPFILE IPv4 2 1 4484 4484 4484 4.5k 0.00
TMM_RECEIVEPCAPFILE IPv4 6 28 4440 6256 4788 134.1k 0.14
TMM_RECEIVEPCAPFILE IPv4 17 43 4438 9356 5108 219.7k 0.23
TMM_DECODEPCAPFILE IPv4 2 1 5406 5406 5406 5.4k 0.01
TMM_DECODEPCAPFILE IPv4 6 28 4580 18470 5907 165.4k 0.17
TMM_DECODEPCAPFILE IPv4 17 43 4604 8562 5151 221.5k 0.23
TMM_FLOWWORKER IPv6 17 55 190698 858194 294512 16.2m 16.67
TMM_FLOWWORKER IPv6 58 19 116038 248108 142892 2.7m 2.79
TMM_RECEIVEPCAPFILE IPv6 17 55 4450 12252 5535 304.4k 0.31
TMM_RECEIVEPCAPFILE IPv6 58 19 4486 6806 5132 97.5k 0.10
TMM_DECODEPCAPFILE IPv6 17 55 4596 54242 6626 364.5k 0.37
TMM_DECODEPCAPFILE IPv6 58 19 4700 13024 6004 114.1k 0.12
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 28 4984 818822 35163 984.6k 1.55
flow IPv4 17 43 4760 39586 7401 318.2k 0.50
stream IPv4 6 28 5054 285476 30673 858.8k 1.35
app-layer IPv4 17 43 4446 574034 23645 1.0m 1.60
detect IPv4 2 1 138624 138624 138624 138.6k 0.22
detect IPv4 6 28 100998 1483162 489360 13.7m 21.52
detect IPv4 17 43 222838 8796386 636985 27.4m 43.01
tcp-prune IPv4 6 28 4500 1579050 64233 1.8m 2.82
flow IPv6 17 55 4770 125810 8376 460.7k 0.72
flow IPv6 58 19 4800 11710 6403 121.7k 0.19
app-layer IPv6 17 55 4496 55158 9460 520.3k 0.82
detect IPv6 17 55 161410 793990 256031 14.1m 22.11
detect IPv6 58 19 97020 221960 120333 2.3m 3.59
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
smtp IPv4 6 1 18640 18640 18640 18.6k 6.74
dns IPv4 17 6 10738 25478 15027 90.2k 32.62
smtp IPv6 17 3 9858 18640 12785 38.4k 13.88
dns IPv6 17 11 11748 11748 11748 129.2k 46.76
Proto detect IPv4 17 9 5014 22700 12858 115.7k
Proto detect IPv6 17 16 4612 43968 9418 150.7k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 6 92890 26210348 4484607 26.9m 100.00
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 20 5212 98484 24989 499.8k 12.13
payload IPv4 17 43 6028 237658 42092 1.8m 43.95
stream IPv4 6 20 4446 274302 23363 467.3k 11.35
dns_query IPv4 17 3 16892 24240 21496 64.5k 1.57
file_data (smtp) IPv4 6 10 4438 7748 5208 52.1k 1.26
Total IPv4 96 30141 2.9m
payload IPv6 17 55 5496 162684 17898 984.4k 23.90
payload IPv6 58 19 5052 92962 12662 240.6k 5.84
Total IPv6 74 16553 1.2m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 2 1 42926 42926 42926 42.9k 0.08
PROF_DETECT_IPONLY IPv4 6 2 155092 198794 176943 353.9k 0.62
PROF_DETECT_IPONLY IPv4 17 9 43272 194334 82458 742.1k 1.30
PROF_DETECT_RULES IPv4 2 1 4474 4474 4474 4.5k 0.01
PROF_DETECT_RULES IPv4 6 28 4480 926878 184528 5.2m 9.05
PROF_DETECT_RULES IPv4 17 43 115008 736700 255050 11.0m 19.20
PROF_DETECT_STATEFUL_CONT IPv4 2 1 4714 4714 4714 4.7k 0.01
PROF_DETECT_STATEFUL_CONT IPv4 6 28 5206 19368 9130 255.7k 0.45
PROF_DETECT_STATEFUL_CONT IPv4 17 43 4416 58834 7274 312.8k 0.55
PROF_DETECT_STATEFUL_UPDATE IPv4 6 23 4488 11054 5055 116.3k 0.20
PROF_DETECT_STATEFUL_UPDATE IPv4 17 6 4920 7242 6360 38.2k 0.07
PROF_DETECT_PREFILTER IPv4 2 1 26954 26954 26954 27.0k 0.05
PROF_DETECT_PREFILTER IPv4 6 28 18966 877974 113436 3.2m 5.56
PROF_DETECT_PREFILTER IPv4 17 43 42348 492656 98286 4.2m 7.40
PROF_DETECT_PF_PAYLOAD IPv4 6 20 24448 293138 62785 1.3m 2.20
PROF_DETECT_PF_PAYLOAD IPv4 17 43 14948 247178 53756 2.3m 4.05
PROF_DETECT_PF_TX IPv4 6 23 4516 20864 9535 219.3k 0.38
PROF_DETECT_PF_TX IPv4 17 3 31252 34254 33148 99.4k 0.17
PROF_DETECT_PF_SORT1 IPv4 6 12 4470 7716 5294 63.5k 0.11
PROF_DETECT_PF_SORT1 IPv4 17 43 4630 424670 16261 699.3k 1.22
PROF_DETECT_PF_SORT2 IPv4 2 1 4712 4712 4712 4.7k 0.01
PROF_DETECT_PF_SORT2 IPv4 6 28 4462 90888 8509 238.3k 0.42
PROF_DETECT_PF_SORT2 IPv4 17 43 4462 8042 5270 226.6k 0.40
PROF_DETECT_NONMPMLIST IPv4 2 1 4682 4682 4682 4.7k 0.01
PROF_DETECT_NONMPMLIST IPv4 6 28 4484 7562 5321 149.0k 0.26
PROF_DETECT_NONMPMLIST IPv4 17 43 4430 7260 5077 218.3k 0.38
PROF_DETECT_ALERT IPv4 2 1 4484 4484 4484 4.5k 0.01
PROF_DETECT_ALERT IPv4 6 28 4454 6828 5115 143.2k 0.25
PROF_DETECT_ALERT IPv4 17 43 4434 8187606 195135 8.4m 14.69
PROF_DETECT_CLEANUP IPv4 2 1 4476 4476 4476 4.5k 0.01
PROF_DETECT_CLEANUP IPv4 6 28 4468 841826 36938 1.0m 1.81
PROF_DETECT_CLEANUP IPv4 17 43 4438 9000 5138 221.0k 0.39
PROF_DETECT_GETSGH IPv4 2 1 4730 4730 4730 4.7k 0.01
PROF_DETECT_GETSGH IPv4 6 28 4450 88926 9928 278.0k 0.49
PROF_DETECT_GETSGH IPv4 17 43 4426 15690 6467 278.1k 0.49
PROF_DETECT_IPONLY IPv6 17 16 4772 70202 10801 172.8k 0.30
PROF_DETECT_IPONLY IPv6 58 2 5252 13654 9453 18.9k 0.03
PROF_DETECT_RULES IPv6 17 55 58754 610658 118574 6.5m 11.42
PROF_DETECT_RULES IPv6 58 19 4448 19760 5724 108.8k 0.19
PROF_DETECT_STATEFUL_CONT IPv6 17 55 4412 6124 4886 268.8k 0.47
PROF_DETECT_STATEFUL_CONT IPv6 58 19 4432 6454 4960 94.3k 0.17
PROF_DETECT_PREFILTER IPv6 17 55 41430 207372 61244 3.4m 5.90
PROF_DETECT_PREFILTER IPv6 58 19 32336 121578 45138 857.6k 1.50
PROF_DETECT_PF_PAYLOAD IPv6 17 55 14380 171712 27866 1.5m 2.68
PROF_DETECT_PF_PAYLOAD IPv6 58 19 14044 102124 23684 450.0k 0.79
PROF_DETECT_PF_SORT1 IPv6 17 55 4542 8508 5361 294.9k 0.52
PROF_DETECT_PF_SORT2 IPv6 17 55 4460 6510 5012 275.7k 0.48
PROF_DETECT_PF_SORT2 IPv6 58 19 4408 6212 4790 91.0k 0.16
PROF_DETECT_NONMPMLIST IPv6 17 55 4442 28994 5368 295.2k 0.52
PROF_DETECT_NONMPMLIST IPv6 58 19 4426 24174 6049 114.9k 0.20
PROF_DETECT_ALERT IPv6 17 55 4438 19782 5071 279.0k 0.49
PROF_DETECT_ALERT IPv6 58 19 4426 6376 4776 90.7k 0.16
PROF_DETECT_CLEANUP IPv6 17 55 4424 19250 5439 299.2k 0.52
PROF_DETECT_CLEANUP IPv6 58 19 4422 6930 4874 92.6k 0.16
PROF_DETECT_GETSGH IPv6 17 55 4634 66388 9081 499.5k 0.87
PROF_DETECT_GETSGH IPv6 58 19 4432 11920 5459 103.7k 0.18
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c3f062f091751aeb37658194d61b4c0c56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12112019.1734-36b34b28-30f0-4c4a-88ea-1449c2768125.pcap -vvv -k none
elapsedtime:26.767259
stderr:
stdout:
11/12/2019 -- 17:34:51 - <Info> - Configuration node 'rule-files' redefined.
11/12/2019 -- 17:34:51 - <Notice> - This is Suricata version 4.0.0 RELEASE
11/12/2019 -- 17:34:51 - <Info> - CPUs/cores online: 1
11/12/2019 -- 17:34:51 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31596 and 'request-body-inspect-window' set to 15703 after randomization.
11/12/2019 -- 17:34:51 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33062 and 'response-body-inspect-window' set to 17073 after randomization.
11/12/2019 -- 17:34:51 - <Config> - DNS request flood protection level: 500
11/12/2019 -- 17:34:51 - <Config> - DNS per flow memcap (state-memcap): 524288
11/12/2019 -- 17:34:51 - <Config> - DNS global memcap: 16777216
11/12/2019 -- 17:34:51 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/12/2019 -- 17:34:51 - <Config> - preallocated 1000 hosts of size 136
11/12/2019 -- 17:34:51 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
11/12/2019 -- 17:34:51 - <Config> - using magic-file /usr/share/file/magic
11/12/2019 -- 17:34:51 - <Config> - Core dump size is unlimited.
11/12/2019 -- 17:34:51 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
11/12/2019 -- 17:34:51 - <Config> - preallocated 1000 defrag trackers of size 168
11/12/2019 -- 17:34:51 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
11/12/2019 -- 17:34:51 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/12/2019 -- 17:34:51 - <Config> - stream "memcap": 33554432
11/12/2019 -- 17:34:51 - <Config> - stream "midstream" session pickups: disabled
11/12/2019 -- 17:34:51 - <Config> - stream "async-oneside": disabled
11/12/2019 -- 17:34:51 - <Config> - stream "checksum-validation": disabled
11/12/2019 -- 17:34:51 - <Config> - stream."inline": disabled
11/12/2019 -- 17:34:51 - <Config> - stream "bypass": disabled
11/12/2019 -- 17:34:51 - <Config> - stream "max-synack-queued": 5
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly "memcap": 134217728
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly "depth": 0
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly "toserver-chunk-size": 2614
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly "toclient-chunk-size": 2490
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly.raw: enabled
11/12/2019 -- 17:34:51 - <Config> - stream.reassembly "segment-prealloc": 2048
11/12/2019 -- 17:34:51 - <Config> - Delayed detect disabled
11/12/2019 -- 17:34:51 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/12/2019 -- 17:34:51 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/12/2019 -- 17:34:51 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/12/2019 -- 17:34:51 - <Config> - prefilter engines: MPM
11/12/2019 -- 17:34:51 - <Config> - IP reputation disabled
11/12/2019 -- 17:34:51 - <Perf> - Registered 148 keyword profiling counters.
11/12/2019 -- 17:34:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
11/12/2019 -- 17:34:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
11/12/2019 -- 17:34:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
11/12/2019 -- 17:34:57 - <Config> - No rules loaded from ET-icmp.rules.
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
11/12/2019 -- 17:34:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
11/12/2019 -- 17:34:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
11/12/2019 -- 17:34:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
11/12/2019 -- 17:34:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
11/12/2019 -- 17:35:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
11/12/2019 -- 17:35:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
11/12/2019 -- 17:35:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
11/12/2019 -- 17:35:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
11/12/2019 -- 17:35:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
11/12/2019 -- 17:35:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
11/12/2019 -- 17:35:06 - <Config> - No rules loaded from local.rules.
11/12/2019 -- 17:35:06 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
11/12/2019 -- 17:35:06 - <Info> - Threshold config parsed: 0 rule(s) found
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tcp-packet
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tcp-stream
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for udp-packet
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for other-ip
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_uri
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_request_line
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_client_body
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_response_line
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_header
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_header
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_header_names
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_header_names
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_accept
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_accept_enc
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_accept_lang
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_referer
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_connection
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_content_len
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_content_len
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_content_type
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_content_type
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_protocol
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_protocol
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_start
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_start
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_raw_header
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_raw_header
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_method
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_cookie
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_cookie
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_raw_uri
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_user_agent
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_host
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_raw_host
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_stat_msg
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_stat_code
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for dns_query
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tls_sni
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for dce_stub_data
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for dce_stub_data
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for ssh_protocol
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for ssh_protocol
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for ssh_software
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for ssh_software
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for file_data
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for file_data
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_request_line
11/12/2019 -- 17:35:07 - <Perf> - using shared mpm ctx' for http_response_line
11/12/2019 -- 17:35:07 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
11/12/2019 -- 17:35:07 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/12/2019 -- 17:35:07 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
11/12/2019 -- 17:35:07 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
11/12/2019 -- 17:35:07 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/12/2019 -- 17:35:07 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
11/12/2019 -- 17:35:07 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
11/12/2019 -- 17:35:07 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
11/12/2019 -- 17:35:14 - <Perf> - Unique rule groups: 104
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toserver TCP packet": 35
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toclient TCP packet": 17
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toserver TCP stream": 33
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toclient TCP stream": 19
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toserver UDP packet": 27
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "toclient UDP packet": 17
11/12/2019 -- 17:35:14 - <Perf> - Builtin MPM "other IP packet": 3
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_uri": 14
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_request_line": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_client_body": 6
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_response_line": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_header": 10
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_header": 6
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_header_names": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_accept": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_referer": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_content_len": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_content_type": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_content_type": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_protocol": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_start": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_method": 5
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_cookie": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_cookie": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver http_host": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver dns_query": 4
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver tls_sni": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toserver file_data": 1
11/12/2019 -- 17:35:14 - <Perf> - AppLayer MPM "toclient file_data": 7
11/12/2019 -- 17:35:17 - <Perf> - Registered 39590 rule profiling counters.
11/12/2019 -- 17:35:17 - <Info> - fast output device (regular) initialized: alert
11/12/2019 -- 17:35:17 - <Info> - eve-log output device (regular) initialized: eve.json
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'alert'
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'http'
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'dns'
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'tls'
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'files'
11/12/2019 -- 17:35:17 - <Config> - enabling 'eve-log' module 'ssh'
11/12/2019 -- 17:35:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
11/12/2019 -- 17:35:17 - <Info> - stats output device (regular) initialized: stats.log
11/12/2019 -- 17:35:17 - <Config> - Aut
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | ------------------------------------------------------------------------------------
Date: 12/11/2019 -- 17:35:18 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 372
decoder.bytes | Total | 27418
decoder.ipv4 | Total | 72
decoder.ipv6 | Total | 74
decoder.ethernet | Total | 372
decoder.tcp | Total | 28
decoder.udp | Total | 98
decoder.icmpv6 | Total | 19
decoder.avg_pkt_size | Total | 73
decoder.max_pkt_size | Total | 397
flow.tcp | Total | 1
flow.udp | Total | 22
flow.icmpv6 | Total | 2
tcp.sessions | Total | 1
tcp.syn | Total | 1
tcp.synack | Total | 1
detect.mpm_list | Total | 8
detect.nonmpm_list | Total | 2
detect.fnonmpm_list | Total | 1
detect.match_list | Total | 9
app_layer.flow.smtp | Total | 1
app_layer.tx.smtp | Total | 1
app_layer.flow.dns_udp | Total | 3
app_layer.tx.dns_udp | Total | 3
app_layer.flow.failed_udp | Total | 19
flow.spare | Total | 9999
flow_mgr.flows_checked | Total | 3
flow_mgr.flows_notimeout | Total | 3
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65533
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7076896
|
1 2 3 4 5 6 7 8 9 10 11 12 | {"timestamp":"2019-12-11T16:03:34.867473+0000","flow_id":1525211930705041,"pcap_cnt":31,"event_type":"dns","src_ip":"192.168.100.143","src_port":53530,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19578,"rrname":"self.events.data.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-12-11T16:03:34.899469+0000","flow_id":1525211930705041,"pcap_cnt":32,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":53530,"proto":"UDP","dns":{"type":"answer","id":19578,"rcode":"NOERROR","rrname":"self.events.data.microsoft.com","rrtype":"CNAME","ttl":1646,"rdata":"self.events.data.onecollector.akadns.net"}}
{"timestamp":"2019-12-11T16:03:34.899469+0000","flow_id":1525211930705041,"pcap_cnt":32,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":53530,"proto":"UDP","dns":{"type":"answer","id":19578,"rcode":"NOERROR","rrname":"self.events.data.onecollector.akadns.net","rrtype":"A","ttl":29,"rdata":"52.114.128.9"}}
{"timestamp":"2019-12-11T16:03:52.925030+0000","flow_id":2142523286363494,"pcap_cnt":49,"event_type":"dns","src_ip":"192.168.100.143","src_port":64724,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42785,"rrname":"smtp.ssgtoolz.net","rrtype":"A","tx_id":0}}
{"timestamp":"2019-12-11T16:03:53.067891+0000","flow_id":2142523286363494,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":64724,"proto":"UDP","dns":{"type":"answer","id":42785,"rcode":"NOERROR","rrname":"smtp.ssgtoolz.net","rrtype":"CNAME","ttl":21599,"rdata":"us2.smtp.mailhostbox.com"}}
{"timestamp":"2019-12-11T16:03:53.067891+0000","flow_id":2142523286363494,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":64724,"proto":"UDP","dns":{"type":"answer","id":42785,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":299,"rdata":"208.91.198.143"}}
{"timestamp":"2019-12-11T16:03:53.067891+0000","flow_id":2142523286363494,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":64724,"proto":"UDP","dns":{"type":"answer","id":42785,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":299,"rdata":"208.91.199.223"}}
{"timestamp":"2019-12-11T16:03:53.067891+0000","flow_id":2142523286363494,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":64724,"proto":"UDP","dns":{"type":"answer","id":42785,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":299,"rdata":"208.91.199.225"}}
{"timestamp":"2019-12-11T16:03:53.067891+0000","flow_id":2142523286363494,"pcap_cnt":50,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":64724,"proto":"UDP","dns":{"type":"answer","id":42785,"rcode":"NOERROR","rrname":"us2.smtp.mailhostbox.com","rrtype":"A","ttl":299,"rdata":"208.91.199.224"}}
{"timestamp":"2019-12-11T16:04:12.457861+0000","flow_id":112803348020357,"pcap_cnt":116,"event_type":"dns","src_ip":"192.168.100.143","src_port":51493,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5295,"rrname":"nexusrules.officeapps.live.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-12-11T16:04:12.458107+0000","flow_id":112803348020357,"pcap_cnt":117,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":51493,"proto":"UDP","dns":{"type":"answer","id":5295,"rcode":"NOERROR","rrname":"nexusrules.officeapps.live.com","rrtype":"CNAME","ttl":593,"rdata":"prod.nexusrules.live.com.akadns.net"}}
{"timestamp":"2019-12-11T16:04:12.458107+0000","flow_id":112803348020357,"pcap_cnt":117,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.143","dest_port":51493,"proto":"UDP","dns":{"type":"answer","id":5295,"rcode":"NOERROR","rrname":"prod.nexusrules.live.com.akadns.net","rrtype":"A","ttl":32,"rdata":"52.109.120.19"}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | --------------------------------------------------------------------------------------------------------------------------------
Date: 12/11/2019 -- 17:35:18
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 570310 89 56 22760 6407.00 6709.00 5895.00
pcre 148878 4 0 74006 37219.00 0.00 37219.00
byte_test 967342 90 66 431470 10748.00 12368.00 6291.00
byte_jump 85642 15 15 12024 5709.00 5709.00 0.00
isdataat 19508 3 0 7612 6502.00 0.00 6502.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 570310 89 56 22760 6407.00 6709.00 5895.00
pcre 148878 4 0 74006 37219.00 0.00 37219.00
byte_test 967342 90 66 431470 10748.00 12368.00 6291.00
byte_jump 85642 15 15 12024 5709.00 5709.00 0.00
isdataat 19508 3 0 7612 6502.00 0.00 6502.00
|
1 2 3 4 5 6 7 8 | 2019-12-11 17:34:50,841 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-12-11 17:34:51,676 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-12-11 17:34:51,676 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-12-11 17:34:51,677 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-12-11 17:34:51,678 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-12-11 17:34:51,678 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/c3f062f091751aeb37658194d61b4c0c56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/12112019.1734-36b34b28-30f0-4c4a-88ea-1449c2768125.pcap -vvv -k none
2019-12-11 17:35:18,448 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-12-11 17:35:18,449 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 27.6166470051
|