1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 10 479698 13137301 6525133 65.3m 100.00
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 10 68798 9589991 1298462 13.0m 99.35
TMM_RECEIVEPCAPFILE IPv4 6 10 2547 12435 3860 38.6k 0.30
TMM_DECODEPCAPFILE IPv4 6 10 2814 18816 4630 46.3k 0.35
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 10 2637 14634 4365 43.7k 0.67
stream IPv4 6 10 4781 293155 69243 692.4k 10.67
detect IPv4 6 10 44622 3469193 571886 5.7m 88.14
tcp-prune IPv4 6 10 2538 6596 3361 33.6k 0.52
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 1 39952 39952 39952 40.0k 100.00
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_HTTP IPv4 6 1 5842805 5842805 5842805 5.8m 92.37
LOGGER_JSON_FILE IPv4 6 1 482556 482556 482556 482.6k 7.63
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 4 2810 77463 38892 155.6k 13.37
stream IPv4 6 4 2643 98952 50794 203.2k 17.46
http_uri IPv4 6 1 19478 19478 19478 19.5k 1.67
http_request_line IPv4 6 1 7495 7495 7495 7.5k 0.64
http_client_body IPv4 6 1 13438 13438 13438 13.4k 1.15
http_header (request) IPv4 6 1 94870 94870 94870 94.9k 8.15
http_header (request trailer) IPv4 6 1 2695 2695 2695 2.7k 0.23
http_header_names (request) IPv4 6 1 24720 24720 24720 24.7k 2.12
http_accept (request) IPv4 6 1 7253 7253 7253 7.3k 0.62
http_referer (request) IPv4 6 1 3542 3542 3542 3.5k 0.30
http_content_len (request) IPv4 6 1 3428 3428 3428 3.4k 0.29
http_content_type (request) IPv4 6 1 3278 3278 3278 3.3k 0.28
http_start (request) IPv4 6 1 12518 12518 12518 12.5k 1.08
http_raw_header (request) IPv4 6 1 14078 14078 14078 14.1k 1.21
http_method IPv4 6 1 5443 5443 5443 5.4k 0.47
http_cookie (request) IPv4 6 1 3769 3769 3769 3.8k 0.32
http_raw_uri IPv4 6 1 6044 6044 6044 6.0k 0.52
http_user_agent IPv4 6 1 32213 32213 32213 32.2k 2.77
http_host IPv4 6 1 7590 7590 7590 7.6k 0.65
http_response_line IPv4 6 1 11181 11181 11181 11.2k 0.96
http_header (response) IPv4 6 1 43105 43105 43105 43.1k 3.70
http_header (response trailer) IPv4 6 1 4704 4704 4704 4.7k 0.40
http_content_type (response) IPv4 6 1 6819 6819 6819 6.8k 0.59
http_raw_header (response) IPv4 6 1 10497 10497 10497 10.5k 0.90
http_cookie (response) IPv4 6 1 3617 3617 3617 3.6k 0.31
http_stat_code IPv4 6 1 382783 382783 382783 382.8k 32.89
file_data (http response) IPv4 6 1 80625 80625 80625 80.6k 6.93
Total IPv4 33 35270 1.2m
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 2 20475 57325 38900 77.8k 0.91
PROF_DETECT_RULES IPv4 6 10 2555 2973405 332605 3.3m 38.99
PROF_DETECT_STATEFUL_START IPv4 6 4 5346 1324959 336737 1.3m 15.79
PROF_DETECT_STATEFUL_CONT IPv4 6 10 2503 27214 6141 61.4k 0.72
PROF_DETECT_STATEFUL_UPDATE IPv4 6 6 2555 3183 2878 17.3k 0.20
PROF_DETECT_PREFILTER IPv4 6 10 8012 700607 181836 1.8m 21.32
PROF_DETECT_PF_PAYLOAD IPv4 6 4 82150 109636 97445 389.8k 4.57
PROF_DETECT_PF_TX IPv4 6 6 2764 571083 149881 899.3k 10.54
PROF_DETECT_PF_SORT1 IPv4 6 3 3339 11033 5975 17.9k 0.21
PROF_DETECT_PF_SORT2 IPv4 6 10 2564 388386 41751 417.5k 4.89
PROF_DETECT_NONMPMLIST IPv4 6 10 2540 4852 3211 32.1k 0.38
PROF_DETECT_ALERT IPv4 6 10 2523 12834 3787 37.9k 0.44
PROF_DETECT_CLEANUP IPv4 6 10 2607 16445 5337 53.4k 0.63
PROF_DETECT_GETSGH IPv4 6 10 2529 6821 3420 34.2k 0.40
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | ------------------------------------------------------------------------------------
Date: 7/9/2019 -- 11:38:32 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 10
decoder.bytes | Total | 1611
decoder.ipv4 | Total | 10
decoder.ethernet | Total | 10
decoder.tcp | Total | 10
decoder.avg_pkt_size | Total | 161
decoder.max_pkt_size | Total | 579
flow.tcp | Total | 1
tcp.sessions | Total | 1
tcp.syn | Total | 1
tcp.synack | Total | 1
detect.mpm_list | Total | 9
detect.nonmpm_list | Total | 2
detect.match_list | Total | 9
app_layer.flow.http | Total | 1
app_layer.tx.http | Total | 1
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 1
flow_mgr.flows_notimeout | Total | 1
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65535
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7074592
|
1 2 | {"timestamp":"2008-09-13T11:31:30.726171+0000","flow_id":849169335053554,"pcap_cnt":6,"event_type":"http","src_ip":"192.168.1.4","src_port":61990,"dest_ip":"76.74.9.18","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.milw0rm.org","url":"\/exploit.php?id=2866","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)","http_content_type":"text\/html"}}
{"timestamp":"2008-09-13T11:31:34.680285+0000","flow_id":849169335053554,"pcap_cnt":8,"event_type":"fileinfo","src_ip":"76.74.9.18","src_port":80,"dest_ip":"192.168.1.4","dest_port":61990,"proto":"TCP","http":{"hostname":"www.milw0rm.org","url":"\/exploit.php?id=2866","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/exploit.php","gaps":false,"state":"CLOSED","stored":false,"size":316,"tx_id":0}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | --------------------------------------------------------------------------
Date: 7/9/2019 -- 11:38:32. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2013419 1 4 81334 3.29 1 0 81334 81334.00 0.00 81334.00
2 2019094 1 5 65861 2.66 1 0 65861 65861.00 0.00 65861.00
3 2023670 1 3 49462 2.00 1 1 49462 49462.00 49462.00 0.00
4 2023315 1 2 47075 1.90 1 0 47075 47075.00 0.00 47075.00
5 2022339 1 2 46905 1.89 1 0 46905 46905.00 0.00 46905.00
6 2014189 1 3 41696 1.68 1 0 41696 41696.00 0.00 41696.00
7 2022502 1 4 40340 1.63 1 0 40340 40340.00 0.00 40340.00
8 2025064 1 5 39748 1.61 1 0 39748 39748.00 0.00 39748.00
9 2020706 1 2 39722 1.60 1 0 39722 39722.00 0.00 39722.00
10 2021718 1 4 39157 1.58 1 0 39157 39157.00 0.00 39157.00
11 2023875 1 2 39105 1.58 1 0 39105 39105.00 0.00 39105.00
12 2022503 1 2 39026 1.58 1 0 39026 39026.00 0.00 39026.00
13 2018358 1 7 37497 1.51 1 0 37497 37497.00 0.00 37497.00
14 2018452 1 15 36357 1.47 1 0 36357 36357.00 0.00 36357.00
15 2019693 1 5 35842 1.45 1 0 35842 35842.00 0.00 35842.00
16 2016858 1 10 35690 1.44 1 0 35690 35690.00 0.00 35690.00
17 2022901 1 2 35604 1.44 1 0 35604 35604.00 0.00 35604.00
18 2011894 1 19 34806 1.41 1 0 34806 34806.00 0.00 34806.00
19 2019344 1 5 34173 1.38 1 0 34173 34173.00 0.00 34173.00
20 2021418 1 9 33834 1.37 1 0 33834 33834.00 0.00 33834.00
21 2024239 1 3 29892 1.21 1 0 29892 29892.00 0.00 29892.00
22 2019881 1 3 29774 1.20 1 0 29774 29774.00 0.00 29774.00
23 2017814 1 3 29653 1.20 1 0 29653 29653.00 0.00 29653.00
24 2020643 1 3 29511 1.19 1 0 29511 29511.00 0.00 29511.00
25 2018496 1 9 29388 1.19 1 0 29388 29388.00 0.00 29388.00
26 2020181 1 8 29323 1.18 1 0 29323 29323.00 0.00 29323.00
27 2017119 1 4 29306 1.18 1 0 29306 29306.00 0.00 29306.00
28 2020963 1 2 29264 1.18 1 0 29264 29264.00 0.00 29264.00
29 2021552 1 2 29222 1.18 1 0 29222 29222.00 0.00 29222.00
30 2022207 1 4 29150 1.18 1 0 29150 29150.00 0.00 29150.00
31 2017613 1 9 29089 1.17 1 0 29089 29089.00 0.00 29089.00
32 2022220 1 2 29022 1.17 1 0 29022 29022.00 0.00 29022.00
33 2017261 1 3 28984 1.17 1 0 28984 28984.00 0.00 28984.00
34 2024767 1 2 28828 1.16 1 0 28828 28828.00 0.00 28828.00
35 2011925 1 6 28822 1.16 1 0 28822 28822.00 0.00 28822.00
36 2017948 1 2 28728 1.16 1 0 28728 28728.00 0.00 28728.00
37 2011791 1 4 28720 1.16 1 0 28720 28720.00 0.00 28720.00
38 2020962 1 3 28676 1.16 1 0 28676 28676.00 0.00 28676.00
39 2024452 1 3 28669 1.16 1 0 28669 28669.00 0.00 28669.00
40 2022262 1 3 28630 1.16 1 0 28630 28630.00 0.00 28630.00
41 2018981 1 4 28580 1.15 1 0 28580 28580.00 0.00 28580.00
42 2008377 1 5 28534 1.15 1 0 28534 28534.00 0.00 28534.00
43 2015877 1 6 28524 1.15 1 0 28524 28524.00 0.00 28524.00
44 2021413 1 2 28439 1.15 1 0 28439 28439.00 0.00 28439.00
45 2018242 1 5 28287 1.14 1 0 28287 28287.00 0.00 28287.00
46 2025162 1 2 28253 1.14 1 0 28253 28253.00 0.00 28253.00
47 2020083 1 3 28173 1.14 1 0 28173 28173.00 0.00 28173.00
48 2020964 1 2 27999 1.13 1 0 27999 27999.00 0.00 27999.00
49 2021747 1 9 27702 1.12 1 0 27702 27702.00 0.00 27702.00
50 2022343 1 2 27571 1.11 1 0 27571 27571.00 0.00 27571.00
51 2021399 1 3 27509 1.11 1 0 27509 27509.00 0.00 27509.00
52 2018983 1 7 26932 1.09 1 0 26932 26932.00 0.00 26932.00
53 2017076 1 9 26693 1.08 1 0 26693 26693.00 0.00 26693.00
54 2017454 1 12 24761 1.00 1 0 24761 24761.00 0.00 24761.00
55 2016706 1 20 23820 0.96 1 0 23820 23820.00 0.00 23820.00
56 2024178 1 2 23394 0.94 1 0 23394 23394.00 0.00 23394.00
57 2012707 1 5 23127 0.93 1 0 23127 23127.00 0.00 23127.00
58 2017456 1 3 22838 0.92 1 0 22838 22838.00 0.00 22838.00
59 2003657 1 18 22541 0.91 1 0 22541 22541.00 0.00 22541.00
60 2019378 1 12 22508 0.91 1 0 22508 22508.00 0.00 22508.00
61 2022049 1 3 22110 0.89 1 0 22110 22110.00 0.00 22110.00
62 2012612 1 16 22109 0.89 1 0 22109 22109.00 0.00 22109.00
63 2020860 1 4 22083 0.89 1 0 22083 22083.00 0.00 22083.00
64 2018958 1 18 21953 0.89 1 0 21953 21953.00 0.00 21953.00
65 2017552 1 6 49469 2.00 3 0 21605 16489.67 0.00 16489.67
66 2016809 1 5 21489 0.87 1 0 21489 21489.00 0.00 21489.00
67 2018010 1 5 21327 0.86 1 0 21327 21327.00 0.00 21327.00
68 2016223 1 10 21130 0.85 1 0 21130 21130.00 0.00 21130.00
69 2017036 1 3 21091 0.85 1 0 21091 21091.00 0.00 21091.00
70 2017556 1 3 21065 0.85 1 0 21065 21065.00 0.00 21065.00
71 2003492 1 30 20736 0.84 1 0 20736 20736.00 0.00 20736.00
72 2020705 1 4 20573 0.83 1 0 20573 20573.00 0.00 20573.00
73 2021787 1 2 20489 0.83 1 0 20489 20489.00 0.00 20489.00
74 2024606 1 2 20246 0.82 1 0 20246 20246.00 0.00 20246.00
75 2014442 1 6 20147 0.81 1 0 20147 20147.00 0.00 20147.00
76 2014967 1 3 20112 0.81 1 0 20112 20112.00 0.00 20112.00
77 2016537 1 2 32551 1.31 2 0 17814 16275.50 0.00 16275.50
78 2016379 1 5 16680 0.67 1 0 16680 16680.00 0.00 16680.00
79 2016948 1 2 15424 0.62 1 0 15424 15424.00 0.00 15424.00
80 2024513 1 5 15125 0.61 1 0 15125 15125.00 0.00 15125.00
81 2020297 1 2 14835 0.60 1 0 14835 14835.00 0.00 14835.00
82 2008420 1 4 7179 0.29 2 0 4242 3589.50 0.00 3589.50
83 2102523 1 8 4118 0.17 1 0 4118 4118.00 0.00 4118.00
84 2023183 1 2 4032 0.16 1 0 4032 4032.00 0.00 4032.00
85 2020388 1 8 3879 0.16 1 0 3879 3879.00 0.00 3879.00
86 2010515 1 6 3673 0.15 1 0 3673 3673.00 0.00 3673.00
87 2100540 1 12 6803 0.27 2 0 3661 3401.50 0.00 3401.50
88 2100540 1 12 6880 0.28 2 0 3661 3440.00 0.00 3440.00
89 2010513 1 5 3575 0.14 1 0 3575 3575.00 0.00 3575.00
90 2021584 1 4 3335 0.13 1 0 3335 3335.00 0.00 3335.00
91 2102523 1 8 3332 0.13 1 0 3332 3332.00 0.00 3332.00
92 2001330 1 8 6221 0.25 2 0 3170 3110.50 0.00 3110.50
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | --------------------------------------------------------------------------------------------------------------------------------
Date: 7/9/2019 -- 11:38:32
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 284162 84 84 4842 3382.00 3382.00 0.00
content 419471 105 66 6078 3994.00 4178.00 3684.00
pcre 157832 22 5 26936 7174.00 11644.00 5859.00
flowbits 18427 5 1 5923 3685.00 5923.00 3126.00
urilen 72374 22 3 4541 3289.00 2872.00 3355.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 284162 84 84 4842 3382.00 3382.00 0.00
flowbits 12504 4 0 3428 3126.00 0.00 3126.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 20052 4 3 5505 5013.00 5180.00 4511.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 5923 1 1 5923 5923.00 5923.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 178316 45 29 5686 3962.00 4106.00 3702.00
pcre 137684 20 4 26936 6884.00 12890.00 5382.00
urilen 72374 22 3 4541 3289.00 2872.00 3355.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_response_line
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 3492 1 0 3492 3492.00 0.00 3492.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 99230 22 15 6078 4510.00 4534.00 4458.00
pcre 20148 2 1 13487 10074.00 6661.00 13487.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header_names
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 18904 5 4 4293 3780.00 3765.00 3844.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_method
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 27434 9 1 3316 3048.00 3316.00 3014.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_user_agent
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 72043 19 14 4542 3791.00 3912.00 3453.00
|
1 2 3 4 5 6 7 8 | 2019-07-09 11:38:24,411 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-07-09 11:38:25,136 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-07-09 11:38:25,136 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2019-07-09 11:38:25,136 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-07-09 11:38:25,136 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-07-09 11:38:25,137 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/da5f75b5fb76c6ef800cbbdf9e3c0609d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/07092019.1138-Acer_LunchApp_APlunch_ActiveX_Control_Command_Execution_Exploit.pcap -vvv -k none
2019-07-09 11:38:32,115 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-07-09 11:38:32,116 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 7.71272301674
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/da5f75b5fb76c6ef800cbbdf9e3c0609d2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/07092019.1138-Acer_LunchApp_APlunch_ActiveX_Control_Command_Execution_Exploit.pcap -vvv -k none
elapsedtime:6.977311
stderr:
stdout:
9/7/2019 -- 11:38:25 - <Info> - Configuration node 'rule-files' redefined.
9/7/2019 -- 11:38:25 - <Notice> - This is Suricata version 4.0.0 RELEASE
9/7/2019 -- 11:38:25 - <Info> - CPUs/cores online: 1
9/7/2019 -- 11:38:25 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33741 and 'request-body-inspect-window' set to 16797 after randomization.
9/7/2019 -- 11:38:25 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 34201 and 'response-body-inspect-window' set to 16129 after randomization.
9/7/2019 -- 11:38:25 - <Config> - DNS request flood protection level: 500
9/7/2019 -- 11:38:25 - <Config> - DNS per flow memcap (state-memcap): 524288
9/7/2019 -- 11:38:25 - <Config> - DNS global memcap: 16777216
9/7/2019 -- 11:38:25 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
9/7/2019 -- 11:38:25 - <Config> - preallocated 1000 hosts of size 136
9/7/2019 -- 11:38:25 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
9/7/2019 -- 11:38:25 - <Config> - using magic-file /usr/share/file/magic
9/7/2019 -- 11:38:25 - <Config> - Core dump size is unlimited.
9/7/2019 -- 11:38:25 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
9/7/2019 -- 11:38:25 - <Config> - preallocated 1000 defrag trackers of size 168
9/7/2019 -- 11:38:25 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
9/7/2019 -- 11:38:25 - <Config> - stream "prealloc-sessions": 2048 (per thread)
9/7/2019 -- 11:38:25 - <Config> - stream "memcap": 33554432
9/7/2019 -- 11:38:25 - <Config> - stream "midstream" session pickups: disabled
9/7/2019 -- 11:38:25 - <Config> - stream "async-oneside": disabled
9/7/2019 -- 11:38:25 - <Config> - stream "checksum-validation": disabled
9/7/2019 -- 11:38:25 - <Config> - stream."inline": disabled
9/7/2019 -- 11:38:25 - <Config> - stream "bypass": disabled
9/7/2019 -- 11:38:25 - <Config> - stream "max-synack-queued": 5
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly "memcap": 134217728
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly "depth": 0
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly "toserver-chunk-size": 2478
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly "toclient-chunk-size": 2468
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly.raw: enabled
9/7/2019 -- 11:38:25 - <Config> - stream.reassembly "segment-prealloc": 2048
9/7/2019 -- 11:38:25 - <Config> - Delayed detect disabled
9/7/2019 -- 11:38:25 - <Config> - pattern matchers: MPM: ac, SPM: bm
9/7/2019 -- 11:38:25 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
9/7/2019 -- 11:38:25 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
9/7/2019 -- 11:38:25 - <Config> - prefilter engines: MPM
9/7/2019 -- 11:38:25 - <Config> - IP reputation disabled
9/7/2019 -- 11:38:25 - <Perf> - Registered 148 keyword profiling counters.
9/7/2019 -- 11:38:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
9/7/2019 -- 11:38:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
9/7/2019 -- 11:38:25 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
9/7/2019 -- 11:38:26 - <Config> - No rules loaded from ET-emerging-icmp.rules.
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
9/7/2019 -- 11:38:26 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
9/7/2019 -- 11:38:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
9/7/2019 -- 11:38:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
9/7/2019 -- 11:38:27 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
9/7/2019 -- 11:38:29 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
9/7/2019 -- 11:38:29 - <Config> - No rules loaded from local.rules.
9/7/2019 -- 11:38:29 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
9/7/2019 -- 11:38:29 - <Info> - Threshold config parsed: 0 rule(s) found
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tcp-packet
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tcp-stream
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for udp-packet
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for other-ip
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_uri
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_request_line
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_client_body
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_response_line
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_header
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_header
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_header_names
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_header_names
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_accept
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_accept_enc
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_accept_lang
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_referer
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_connection
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_content_len
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_content_len
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_content_type
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_content_type
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_protocol
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_protocol
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_start
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_start
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_raw_header
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_raw_header
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_method
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_cookie
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_cookie
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_raw_uri
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_user_agent
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_host
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_raw_host
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_stat_msg
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_stat_code
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for dns_query
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tls_sni
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tls_cert_issuer
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tls_cert_subject
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for tls_cert_serial
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for dce_stub_data
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for dce_stub_data
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for ssh_protocol
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for ssh_protocol
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for ssh_software
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for ssh_software
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for file_data
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for file_data
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_request_line
9/7/2019 -- 11:38:29 - <Perf> - using shared mpm ctx' for http_response_line
9/7/2019 -- 11:38:29 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
9/7/2019 -- 11:38:29 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
9/7/2019 -- 11:38:29 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
9/7/2019 -- 11:38:29 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
9/7/2019 -- 11:38:29 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
9/7/2019 -- 11:38:29 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
9/7/2019 -- 11:38:29 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
9/7/2019 -- 11:38:29 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
9/7/2019 -- 11:38:30 - <Perf> - Unique rule groups: 111
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toserver TCP packet": 31
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toclient TCP packet": 20
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toserver TCP stream": 31
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toclient TCP stream": 21
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toserver UDP packet": 33
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "toclient UDP packet": 15
9/7/2019 -- 11:38:30 - <Perf> - Builtin MPM "other IP packet": 2
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_uri": 8
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_request_line": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_client_body": 6
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_response_line": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_header": 6
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_header": 3
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_header_names": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_accept": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_referer": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_content_len": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_content_type": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_content_type": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_start": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_method": 3
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_cookie": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_cookie": 2
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver http_host": 2
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver dns_query": 4
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver tls_sni": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toserver file_data": 1
9/7/2019 -- 11:38:30 - <Perf> - AppLayer MPM "toclient file_data": 5
9/7/2019 -- 11:38:31 - <Perf> - Registered 18241 rule profiling counters.
9/7/2019 -- 11:38:31 - <Info> - fast output device (regular) initialized: alert
9/7/2019 -- 11:38:31 - <Info> - eve-log output device (regular) initialized: eve.json
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'alert'
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'http'
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'dns'
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'tls'
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'files'
9/7/2019 -- 11:38:31 - <Config> - enabling 'eve-log' module 'ssh'
9/7/2019 -- 11:38:31 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
9/7/2019 -- 11:38:31 - <Info> - stats output device (regular) initialized: stats.log
9/7/2019 -- 11:38:31 - <Config> - AutoFP mode using "Hash" flow load balancer
9/7/2019 --
|