Filename: 64_1526970465_final.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 9.24725294113 seconds
Hash: c787002058499699563d9db543491bcd
Uploaded: 1542360698

Logfiles


packet_stats.log - (5422 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6             6           615507        2087676       1369346          8.2m  100.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6             6            95132        1851694        619262          3.7m   98.20
TMM_RECEIVEPCAPFILE         IPv4       6             5             2571          10357          4638         23.2k    0.61
TMM_DECODEPCAPFILE          IPv4       6             5             2932          31367          8953         44.8k    1.18

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6             5             3028          38709         10753         53.8k  1.87  
stream                  IPv4       6             6             7774          95159         38210        229.3k  7.98  
detect                  IPv4       6             6            47202        1041435        425061          2.6m  88.72 
tcp-prune               IPv4       6             6             2627          19008          6864         41.2k  1.43  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
Proto detect            IPv4       6             1            19077          19077         19077         19.1k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           243457         243457        243457        243.5k  34.19 
LOGGER_UNIFIED2             IPv4       6             1           109472         109472        109472        109.5k  15.37 
LOGGER_JSON_ALERT           IPv4       6             1           359222         359222        359222        359.2k  50.44 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6             2             3830         182947         93388       186.8k  52.33 
stream                            IPv4       6             2             3240         166927         85083       170.2k  47.67 
Total                             IPv4                     4                                         89236       356.9k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             2            26466         113928         70197        140.4k  5.00  
PROF_DETECT_RULES           IPv4       6             6             2777         777741        255242          1.5m  54.57 
PROF_DETECT_STATEFUL_CONT    IPv4       6             6             2582          34388          8336         50.0k  1.78  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             1             3056           3056          3056          3.1k  0.11  
PROF_DETECT_PREFILTER       IPv4       6             6             8429         226077         80665        484.0k  17.25 
PROF_DETECT_PF_PAYLOAD      IPv4       6             2           178433         194815        186624        373.2k  13.30 
PROF_DETECT_PF_TX           IPv4       6             1             4631           4631          4631          4.6k  0.17  
PROF_DETECT_PF_SORT1        IPv4       6             2            11753          14847         13300         26.6k  0.95  
PROF_DETECT_PF_SORT2        IPv4       6             6             2674           5275          3890         23.3k  0.83  
PROF_DETECT_NONMPMLIST      IPv4       6             6             2745          10432          4541         27.3k  0.97  
PROF_DETECT_ALERT           IPv4       6             6             2588          61552         12792         76.8k  2.74  
PROF_DETECT_CLEANUP         IPv4       6             6             2995          13382          5311         31.9k  1.14  
PROF_DETECT_GETSGH          IPv4       6             6             2647          14984          5611         33.7k  1.20  


suricata-4.0.0-etopen-all-alert-2018-11-16-T-09-31-48-11162018.0931-64_1526970465_final.pcap.txt - (191 bytes) - download
1
05/22/2018-06:23:39.336023  [**] [1:2009201:6] ET TROJAN Conficker.b Shellcode [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.10.97.250:44356 -> 10.10.97.251:445


suricata-4.0.0-etopen-all-perf.txt-2018-11-16-T-09-31-48-11162018.0931-64_1526970465_final.pcap.txt - (12759 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
  --------------------------------------------------------------------------
  Date: 11/16/2018 -- 09:31:48. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2103228      1        4        48128        5.71   2        0        45093       24064.00    0.00        24064.00   
  2        2102258      1        10       67875        8.06   2        0        34734       33937.50    0.00        33937.50   
  3        2102191      1        4        65966        7.83   2        0        33777       32983.00    0.00        32983.00   
  4        2001569      1        15       33371        3.96   1        1        33371       33371.00    33371.00    0.00       
  5        2009201      1        6        26995        3.20   1        1        26995       26995.00    26995.00    0.00       
  6        2014957      1        1        40590        4.82   2        0        24446       20295.00    0.00        20295.00   
  7        2103416      1        4        13122        1.56   2        0        9898        6561.00     0.00        6561.00    
  8        2102523      1        8        4866         0.58   1        0        4866        4866.00     0.00        4866.00    
  9        2019235      1        1        4501         0.53   1        0        4501        4501.00     0.00        4501.00    
  10       2018281      1        4        4461         0.53   1        0        4461        4461.00     0.00        4461.00    
  11       2009387      1        4        4137         0.49   1        0        4137        4137.00     0.00        4137.00    
  12       2103267      1        5        7973         0.95   2        0        4129        3986.50     0.00        3986.50    
  13       2103019      1        5        7337         0.87   2        0        4119        3668.50     0.00        3668.50    
  14       2103233      1        5        7238         0.86   2        0        4039        3619.00     0.00        3619.00    
  15       2102947      1        6        6990         0.83   2        0        3951        3495.00     0.00        3495.00    
  16       2102939      1        7        7260         0.86   2        0        3944        3630.00     0.00        3630.00    
  17       2103029      1        6        6975         0.83   2        0        3942        3487.50     0.00        3487.50    
  18       2103001      1        5        7118         0.85   2        0        3933        3559.00     0.00        3559.00    
  19       2103432      1        4        7084         0.84   2        0        3896        3542.00     0.00        3542.00    
  20       2103183      1        4        7623         0.91   2        0        3875        3811.50     0.00        3811.50    
  21       2017935      1        3        3864         0.46   1        0        3864        3864.00     0.00        3864.00    
  22       2102190      1        5        7007         0.83   2        0        3861        3503.50     0.00        3503.50    
  23       2103259      1        5        7121         0.85   2        0        3859        3560.50     0.00        3560.50    
  24       2103431      1        4        6885         0.82   2        0        3855        3442.50     0.00        3442.50    
  25       2103117      1        5        7071         0.84   2        0        3842        3535.50     0.00        3535.50    
  26       2102945      1        6        7169         0.85   2        0        3839        3584.50     0.00        3584.50    
  27       2024435      1        1        3824         0.45   1        0        3824        3824.00     0.00        3824.00    
  28       2103125      1        4        7340         0.87   2        0        3813        3670.00     0.00        3670.00    
  29       2103128      1        4        6853         0.81   2        0        3790        3426.50     0.00        3426.50    
  30       2102998      1        6        6833         0.81   2        0        3785        3416.50     0.00        3416.50    
  31       2103190      1        4        7330         0.87   2        0        3770        3665.00     0.00        3665.00    
  32       2102949      1        7        6994         0.83   2        0        3754        3497.00     0.00        3497.00    
  33       2103412      1        4        7072         0.84   2        0        3749        3536.00     0.00        3536.00    
  34       2103182      1        4        6553         0.78   2        0        3713        3276.50     0.00        3276.50    
  35       2021976      1        2        3695         0.44   1        0        3695        3695.00     0.00        3695.00    
  36       2103229      1        4        7207         0.86   2        0        3695        3603.50     0.00        3603.50    
  37       2103436      1        4        6994         0.83   2        0        3677        3497.00     0.00        3497.00    
  38       2103027      1        6        6779         0.80   2        0        3640        3389.50     0.00        3389.50    
  39       2103262      1        5        6482         0.77   2        0        3618        3241.00     0.00        3241.00    
  40       2103179      1        4        6710         0.80   2        0        3603        3355.00     0.00        3355.00    
  41       2103186      1        4        7108         0.84   2        0        3597        3554.00     0.00        3554.00    
  42       2102481      1        10       6654         0.79   2        0        3597        3327.00     0.00        3327.00    
  43       2103428      1        4        6839         0.81   2        0        3595        3419.50     0.00        3419.50    
  44       2018067      1        3        3562         0.42   1        0        3562        3562.00     0.00        3562.00    
  45       2103191      1        4        6817         0.81   2        0        3540        3408.50     0.00        3408.50    
  46       2103271      1        5        6784         0.81   2        0        3537        3392.00     0.00        3392.00    
  47       2022024      1        1        6572         0.78   2        0        3534        3286.00     0.00        3286.00    
  48       2022132      1        1        6959         0.83   2        0        3529        3479.50     0.00        3479.50    
  49       2103121      1        5        6711         0.80   2        0        3500        3355.50     0.00        3355.50    
  50       2103159      1        4        3478         0.41   1        0        3478        3478.00     0.00        3478.00    
  51       2008306      1        3        6427         0.76   2        0        3476        3213.50     0.00        3213.50    
  52       2103221      1        4        6721         0.80   2        0        3472        3360.50     0.00        3360.50    
  53       2008301      1        3        6711         0.80   2        0        3470        3355.50     0.00        3355.50    
  54       2102480      1        10       6323         0.75   2        0        3470        3161.50     0.00        3161.50    
  55       2103440      1        4        6781         0.81   2        0        3466        3390.50     0.00        3390.50    
  56       2102511      1        10       6714         0.80   2        0        3463        3357.00     0.00        3357.00    
  57       2103129      1        4        6327         0.75   2        0        3451        3163.50     0.00        3163.50    
  58       2103239      1        4        3423         0.41   1        0        3423        3423.00     0.00        3423.00    
  59       2102994      1        5        6519         0.77   2        0        3415        3259.50     0.00        3259.50    
  60       2103439      1        4        6242         0.74   2        0        3400        3121.00     0.00        3121.00    
  61       2102999      1        7        6564         0.78   2        0        3394        3282.00     0.00        3282.00    
  62       2103232      1        4        6470         0.77   2        0        3393        3235.00     0.00        3235.00    
  63       2103158      1        6        6446         0.77   2        0        3378        3223.00     0.00        3223.00    
  64       2103420      1        4        6690         0.79   2        0        3364        3345.00     0.00        3345.00    
  65       2020020      1        1        3358         0.40   1        0        3358        3358.00     0.00        3358.00    
  66       2103002      1        5        6446         0.77   2        0        3354        3223.00     0.00        3223.00    
  67       2103263      1        5        6671         0.79   2        0        3352        3335.50     0.00        3335.50    
  68       2102523      1        8        3349         0.40   1        0        3349        3349.00     0.00        3349.00    
  69       2021978      1        6        3340         0.40   1        0        3340        3340.00     0.00        3340.00    
  70       2102967      1        5        6491         0.77   2        0        3310        3245.50     0.00        3245.50    
  71       2102971      1        5        6522         0.77   2        0        3306        3261.00     0.00        3261.00    
  72       2103266      1        6        6238         0.74   2        0        3255        3119.00     0.00        3119.00    
  73       2103424      1        4        6470         0.77   2        0        3241        3235.00     0.00        3235.00    
  74       2102995      1        6        6261         0.74   2        0        3233        3130.50     0.00        3130.50    
  75       2103225      1        4        6263         0.74   2        0        3224        3131.50     0.00        3131.50    
  76       2103224      1        4        6193         0.74   2        0        3196        3096.50     0.00        3096.50    
  77       2103124      1        4        6248         0.74   2        0        3192        3124.00     0.00        3124.00    
  78       2103258      1        5        5997         0.71   2        0        3181        2998.50     0.00        2998.50    
  79       2102944      1        6        6044         0.72   2        0        3176        3022.00     0.00        3022.00    
  80       2102937      1        6        6201         0.74   2        0        3162        3100.50     0.00        3100.50    
  81       2103415      1        4        6253         0.74   2        0        3144        3126.50     0.00        3126.50    
  82       2103270      1        5        5949         0.71   2        0        3133        2974.50     0.00        2974.50    
  83       2103423      1        4        6138         0.73   2        0        3080        3069.00     0.00        3069.00    
  84       2102970      1        5        6119         0.73   2        0        3069        3059.50     0.00        3059.50    
  85       2103035      1        9        6110         0.73   2        0        3066        3055.00     0.00        3055.00    
  86       2103187      1        4        5885         0.70   2        0        3006        2942.50     0.00        2942.50    
  87       2102966      1        5        5769         0.68   2        0        2949        2884.50     0.00        2884.50    
  88       2103178      1        4        5879         0.70   2        0        2947        2939.50     0.00        2939.50    
  89       2103120      1        4        5758         0.68   2        0        2916        2879.00     0.00        2879.00    
  90       2103435      1        4        5719         0.68   2        0        2903        2859.50     0.00        2859.50    
  91       2103411      1        4        5723         0.68   2        0        2890        2861.50     0.00        2861.50    
  92       2103116      1        5        5734         0.68   2        0        2888        2867.00     0.00        2867.00    
  93       2103427      1        4        5732         0.68   2        0        2884        2866.00     0.00        2866.00    
  94       2103419      1        4        5681         0.67   2        0        2859        2840.50     0.00        2840.50    
  95       2103220      1        4        5679         0.67   2        0        2848        2839.50     0.00        2839.50    
  96       2103238      1        4        2835         0.34   1        0        2835        2835.00     0.00        2835.00    


suricata-report-2018-11-16-T-09-31-48-11162018.0931-64_1526970465_final.pcap.txt - (18191 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/c787002058499699563d9db543491bcdd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11162018.0931-64_1526970465_final.pcap -vvv -k none
elapsedtime:8.257600
stderr:
stdout:
16/11/2018 -- 09:31:39 - <Info> - Configuration node 'rule-files' redefined.
16/11/2018 -- 09:31:39 - <Notice> - This is Suricata version 4.0.0 RELEASE
16/11/2018 -- 09:31:39 - <Info> - CPUs/cores online: 1
16/11/2018 -- 09:31:39 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33604 and 'request-body-inspect-window' set to 16756 after randomization.
16/11/2018 -- 09:31:39 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33644 and 'response-body-inspect-window' set to 16881 after randomization.
16/11/2018 -- 09:31:39 - <Config> - DNS request flood protection level: 500
16/11/2018 -- 09:31:39 - <Config> - DNS per flow memcap (state-memcap): 524288
16/11/2018 -- 09:31:39 - <Config> - DNS global memcap: 16777216
16/11/2018 -- 09:31:39 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
16/11/2018 -- 09:31:39 - <Config> - preallocated 1000 hosts of size 136
16/11/2018 -- 09:31:39 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
16/11/2018 -- 09:31:39 - <Config> - using magic-file /usr/share/file/magic
16/11/2018 -- 09:31:39 - <Config> - Core dump size is unlimited.
16/11/2018 -- 09:31:39 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
16/11/2018 -- 09:31:39 - <Config> - preallocated 1000 defrag trackers of size 168
16/11/2018 -- 09:31:39 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
16/11/2018 -- 09:31:39 - <Config> - stream "prealloc-sessions": 2048 (per thread)
16/11/2018 -- 09:31:39 - <Config> - stream "memcap": 33554432
16/11/2018 -- 09:31:39 - <Config> - stream "midstream" session pickups: disabled
16/11/2018 -- 09:31:39 - <Config> - stream "async-oneside": disabled
16/11/2018 -- 09:31:39 - <Config> - stream "checksum-validation": disabled
16/11/2018 -- 09:31:39 - <Config> - stream."inline": disabled
16/11/2018 -- 09:31:39 - <Config> - stream "bypass": disabled
16/11/2018 -- 09:31:39 - <Config> - stream "max-synack-queued": 5
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly "memcap": 134217728
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly "depth": 0
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly "toserver-chunk-size": 2579
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly "toclient-chunk-size": 2671
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly.raw: enabled
16/11/2018 -- 09:31:39 - <Config> - stream.reassembly "segment-prealloc": 2048
16/11/2018 -- 09:31:39 - <Config> - Delayed detect disabled
16/11/2018 -- 09:31:39 - <Config> - pattern matchers: MPM: ac, SPM: bm
16/11/2018 -- 09:31:39 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
16/11/2018 -- 09:31:39 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
16/11/2018 -- 09:31:39 - <Config> - prefilter engines: MPM
16/11/2018 -- 09:31:39 - <Config> - IP reputation disabled
16/11/2018 -- 09:31:39 - <Perf> - Registered 148 keyword profiling counters.
16/11/2018 -- 09:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
16/11/2018 -- 09:31:39 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
16/11/2018 -- 09:31:40 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
16/11/2018 -- 09:31:41 - <Config> - No rules loaded from ET-emerging-icmp.rules.
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
16/11/2018 -- 09:31:41 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
16/11/2018 -- 09:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
16/11/2018 -- 09:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
16/11/2018 -- 09:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
16/11/2018 -- 09:31:42 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
16/11/2018 -- 09:31:44 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
16/11/2018 -- 09:31:45 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
16/11/2018 -- 09:31:45 - <Config> - No rules loaded from local.rules.
16/11/2018 -- 09:31:45 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
16/11/2018 -- 09:31:45 - <Info> - Threshold config parsed: 0 rule(s) found
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tcp-packet
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tcp-stream
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for udp-packet
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for other-ip
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_uri
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_request_line
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_client_body
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_response_line
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_header
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_header
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_header_names
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_header_names
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_accept
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_accept_enc
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_accept_lang
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_referer
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_connection
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_content_len
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_content_len
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_content_type
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_content_type
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_protocol
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_protocol
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_start
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_start
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_raw_header
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_raw_header
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_method
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_cookie
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_cookie
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_raw_uri
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_user_agent
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_host
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_raw_host
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_stat_msg
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_stat_code
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for dns_query
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tls_sni
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tls_cert_issuer
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tls_cert_subject
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for tls_cert_serial
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for dce_stub_data
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for dce_stub_data
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for ssh_protocol
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for ssh_protocol
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for ssh_software
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for ssh_software
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for file_data
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for file_data
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_request_line
16/11/2018 -- 09:31:45 - <Perf> - using shared mpm ctx' for http_response_line
16/11/2018 -- 09:31:45 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
16/11/2018 -- 09:31:45 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
16/11/2018 -- 09:31:45 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
16/11/2018 -- 09:31:45 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
16/11/2018 -- 09:31:45 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
16/11/2018 -- 09:31:45 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
16/11/2018 -- 09:31:45 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
16/11/2018 -- 09:31:45 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
16/11/2018 -- 09:31:46 - <Perf> - Unique rule groups: 111
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toserver TCP packet": 31
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toclient TCP packet": 20
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toserver TCP stream": 31
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toclient TCP stream": 21
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toserver UDP packet": 33
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "toclient UDP packet": 15
16/11/2018 -- 09:31:46 - <Perf> - Builtin MPM "other IP packet": 2
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_uri": 8
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_request_line": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_client_body": 6
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_response_line": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_header": 6
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_header": 3
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_header_names": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_accept": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_referer": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_content_len": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_content_type": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_content_type": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_start": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_method": 3
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_cookie": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_cookie": 2
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver http_host": 2
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver dns_query": 4
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver tls_sni": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toserver file_data": 1
16/11/2018 -- 09:31:46 - <Perf> - AppLayer MPM "toclient file_data": 5
16/11/2018 -- 09:31:47 - <Perf> - Registered 18241 rule profiling counters.
16/11/2018 -- 09:31:47 - <Info> - fast output device (regular) initialized: alert
16/11/2018 -- 09:31:47 - <Info> - eve-log output device (regular) initialized: eve.json
16/11/2018 -- 09:31:47 - <Config> - enabling 'eve-log' module 'alert'
16/11/2018 -- 09:31:47 - <Config> - enabling 'eve-log' module 'http'
16/11/2018 -- 09:31:47 - <Config> - enabling 'eve-log' module 'dns'
16/11/2018 -- 09:31:47 - <Config> - enabling 'eve-log' module 'tls'
16/11/2018 -- 09:31:47 - <Config> - enabling 'eve-log' module 'files'
16

This file has been truncated. Go here to download in full.


stats.log - (2075 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
------------------------------------------------------------------------------------
Date: 11/16/2018 -- 09:31:48 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 5
decoder.bytes                              | Total                     | 1126
decoder.ipv4                               | Total                     | 5
decoder.ethernet                           | Total                     | 5
decoder.tcp                                | Total                     | 5
decoder.avg_pkt_size                       | Total                     | 225
decoder.max_pkt_size                       | Total                     | 858
flow.tcp                                   | Total                     | 1
tcp.sessions                               | Total                     | 1
tcp.syn                                    | Total                     | 1
tcp.synack                                 | Total                     | 1
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 1
detect.mpm_list                            | Total                     | 28
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 29
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (379 bytes) - download
1
{"timestamp":"2018-05-22T06:23:39.336023+0000","flow_id":251215714393590,"event_type":"alert","src_ip":"10.10.97.250","src_port":44356,"dest_ip":"10.10.97.251","dest_port":445,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2009201,"rev":6,"signature":"ET TROJAN Conficker.b Shellcode","category":"A Network Trojan was detected","severity":1},"app_proto":"smb"}


keyword_perf.log - (3408 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/16/2018 -- 09:31:48
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            3221            1               1               3221            3221.00         3221.00         0.00           
  flow             9196            2               2               5183            4598.00         4598.00         0.00           
  threshold        46825           1               0               46825           46825.00        0.00            46825.00       
  content          88856           22              13              8410            4038.00         4143.00         3887.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            3221            1               1               3221            3221.00         3221.00         0.00           
  flow             9196            2               2               5183            4598.00         4598.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          88856           22              13              8410            4038.00         4143.00         3887.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        46825           1               0               46825           46825.00        0.00            46825.00       


IDSDeathBlossom.py.log - (1162 bytes) - download
1
2
3
4
5
6
7
8
2018-11-16 09:31:39,095 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-16 09:31:39,877 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-16 09:31:39,877 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-11-16 09:31:39,878 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-16 09:31:39,878 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-16 09:31:39,878 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/c787002058499699563d9db543491bcdd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11162018.0931-64_1526970465_final.pcap -vvv -k none
2018-11-16 09:31:48,138 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-16 09:31:48,139 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.05196499825


unified2.alert.1542360707 - (928 bytes) - download
1
2
3
4
5
6
7
8
9
4[·k —¨q

aú

aû­D½\[·k[·k —@E@߯

aú

aû­D½P'’ÿSMB%È0€ÀTÀT&@Ñ\PIPE\À¨$@tHHDHH11\XdIZjOkSRjFvPxSahJqldlUsPhTCqpGDHHBITTjmcOfjWaxKONHhamqLYUmGJnFLPAhYjkWrXAdHBFGZKscdqAfKDMtirKZVxrzhèÿÿÿÿÂ_O€1ÄAf9MSuõ8®Æ O…êO„ÈO„ØOÄOœÌIseÄÄÄ,íÄÄĔ&<O8’;ÓWGÃ,ÜÄÄÄ÷––O¢żê•;³À––•’–;ó;$i•’QOøOˆÏ¼Ç÷2IÐwǕäOÖÇËÄË{ÃöƆDþı1ÿ°Â‚ÿµÜ¶O•àÇËsжO…ØÇOÀTÇš¤fN²âDh±¶¨©«ªÄ]癬°°´þëëõýöêõòüêñôêõõõþñöö÷뮩©¦µ¨¼ÄMSIUPPEmvowGMgPfKhgYNKGHzBRPjScSENJxDLzRwgnzVXiwtuqhEEsBbIgmckqSoVmUZYIPGphXZpaBMddNwCEMULdGBWXuGYUtYECeGxMumuhUKIkmEkwhaiPdFQrGUjtMIlKMVRfRaMiohWooDlsZQHWvIUUkSpqSZouoDTAHeVsshmHg\..\..\AVQMBTYâ‰oPGXC'÷ˆoLPMIRXAZOZAZNSNBXSTGESYSSLHOOJRLKYMPWUMPQI’J$¶—õ7ëbPHRQTZTGUR€\