Filename: bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 24.0793809891 seconds
Hash: dbe307eb2f936094b094812e94f609c3
Uploaded: 1542505331

Logfiles


packet_stats.log - (13904 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            20          8794599       36556612      18426557        368.5m   80.74
 IPv4      17             8          3689124       16937938       7576599         60.6m   13.28
 IPv6      17             3          4041486       18773886       9100655         27.3m    5.98
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            20            69291        5670627        632790         12.7m   47.39
TMM_FLOWWORKER              IPv4      17             8           119182       11248010       1650415         13.2m   49.44
TMM_RECEIVEPCAPFILE         IPv4       6            16             2545           3076          2747         44.0k    0.16
TMM_RECEIVEPCAPFILE         IPv4      17             8             2591           9666          3647         29.2k    0.11
TMM_DECODEPCAPFILE          IPv4       6            16             2660          61298          6499        104.0k    0.39
TMM_DECODEPCAPFILE          IPv4      17             8             2759          23683          5393         43.1k    0.16
TMM_FLOWWORKER              IPv6      17             3           115486         314086        199534        598.6k    2.24
TMM_RECEIVEPCAPFILE         IPv6      17             3             2780           3209          2931          8.8k    0.03
TMM_DECODEPCAPFILE          IPv6      17             3             2838          11550          5759         17.3k    0.06

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            16             2846           5205          3453         55.3k  0.38  
flow                    IPv4      17             8             2827          30501          8765         70.1k  0.48  
stream                  IPv4       6            20             3408         457043         43803        876.1k  6.02  
app-layer               IPv4      17             8             2527          38394         13867        110.9k  0.76  
detect                  IPv4       6            20            45450        5011701        529539         10.6m  72.78 
detect                  IPv4      17             8           102770         556473        277153          2.2m  15.24 
tcp-prune               IPv4       6            20             2565           7937          3227         64.6k  0.44  
flow                    IPv6      17             3             4030          16417          9672         29.0k  0.20  
app-layer               IPv6      17             3             2612          10547          7420         22.3k  0.15  
detect                  IPv6      17             3            93614         288530        171546        514.6k  3.54  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             2             6850          38396         22623         45.2k  32.53 
dns                     IPv4      17             2             8769          16522         12645         25.3k  18.18 
http                    IPv6      17             1            68573          68573         68573         68.6k  49.29 
Proto detect            IPv4       6             4             3791          10869          7106         28.4k
Proto detect            IPv4      17             4             2786          31670         15266         61.1k
Proto detect            IPv6      17             2             3704           4820          4262          8.5k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             2            31045         137626         84335        168.7k  1.48  
LOGGER_UNIFIED2             IPv4       6             2            25147         192936        109041        218.1k  1.91  
LOGGER_JSON_ALERT           IPv4       6             2            49507         107187         78347        156.7k  1.37  
LOGGER_JSON_DNS             IPv4      17             2            61723       10618926       5340324         10.7m  93.47 
LOGGER_JSON_HTTP            IPv4       6             2            35220          68364         51792        103.6k  0.91  
LOGGER_JSON_FILE            IPv4       6             2            45368          54047         49707         99.4k  0.87  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6             6             3257         109969         31558       189.4k  14.21 
payload                           IPv4      17             8             3122          45616         14485       115.9k  8.70  
stream                            IPv4       6             6             2595         134181         41242       247.5k  18.57 
http_uri                          IPv4       6             2            10652          11952         11302        22.6k  1.70  
http_request_line                 IPv4       6             2             6132           8030          7081        14.2k  1.06  
http_client_body                  IPv4       6             2            13223          17196         15209        30.4k  2.28  
http_header (request)             IPv4       6             2           127039         181317        154178       308.4k  23.15 
http_header (request trailer)     IPv4       6             2             2634           2656          2645         5.3k  0.40  
http_header_names (request)       IPv4       6             2            25895          34580         30237        60.5k  4.54  
http_accept (request)             IPv4       6             2             3337           5994          4665         9.3k  0.70  
http_referer (request)            IPv4       6             2             3049           3399          3224         6.4k  0.48  
http_content_len (request)        IPv4       6             2             4553           5461          5007        10.0k  0.75  
http_content_type (request)       IPv4       6             2            10799          12066         11432        22.9k  1.72  
http_protocol (request)           IPv4       6             2             4860           5202          5031        10.1k  0.76  
http_start (request)              IPv4       6             2            15785          20752         18268        36.5k  2.74  
http_raw_header (request)         IPv4       6             2            17159          19276         18217        36.4k  2.73  
http_method                       IPv4       6             2             5060           6283          5671        11.3k  0.85  
http_cookie (request)             IPv4       6             2             3520           4470          3995         8.0k  0.60  
http_raw_uri                      IPv4       6             2             4909           5264          5086        10.2k  0.76  
http_user_agent                   IPv4       6             2            35913          50553         43233        86.5k  6.49  
http_host                         IPv4       6             2            11025          12744         11884        23.8k  1.78  
dns_query                         IPv4      17             1            17829          17829         17829        17.8k  1.34  
Total                             IPv4                    57                                         22513         1.3m
payload                           IPv6      17             3             3553          35233         16327        49.0k  3.68  
Total                             IPv6                     3                                         16327        49.0k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4            10616          68706         42833        171.3k  0.93  
PROF_DETECT_IPONLY          IPv4      17             4            39563         172599         95286        381.1k  2.07  
PROF_DETECT_RULES           IPv4       6            20             2689        4278091        391749          7.8m  42.56 
PROF_DETECT_RULES           IPv4      17             8            44497         316883        116422        931.4k  5.06  
PROF_DETECT_STATEFUL_START    IPv4       6             2          1870701        2227812       2049256          4.1m  22.26 
PROF_DETECT_STATEFUL_CONT    IPv4       6            20             2726          16367          5731        114.6k  0.62  
PROF_DETECT_STATEFUL_CONT    IPv4      17             8             2544          73395         13283        106.3k  0.58  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            10             2562           3203          2802         28.0k  0.15  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             2             3251           3967          3609          7.2k  0.04  
PROF_DETECT_PREFILTER       IPv4       6            20             7721         658655         83124          1.7m  9.03  
PROF_DETECT_PREFILTER       IPv4      17             8            23904          78389         43231        345.8k  1.88  
PROF_DETECT_PF_PAYLOAD      IPv4       6             6            15542         145743         80649        483.9k  2.63  
PROF_DETECT_PF_PAYLOAD      IPv4      17             8             8420          51002         19848        158.8k  0.86  
PROF_DETECT_PF_TX           IPv4       6            10             2944         462964         85155        851.6k  4.63  
PROF_DETECT_PF_TX           IPv4      17             1            24090          24090         24090         24.1k  0.13  
PROF_DETECT_PF_SORT1        IPv4       6             4             2879          37923         17489         70.0k  0.38  
PROF_DETECT_PF_SORT1        IPv4      17             8             2622           4535          3503         28.0k  0.15  
PROF_DETECT_PF_SORT2        IPv4       6            20             2514          15713          3864         77.3k  0.42  
PROF_DETECT_PF_SORT2        IPv4      17             8             2540           4450          3158         25.3k  0.14  
PROF_DETECT_NONMPMLIST      IPv4       6            20             2520           3649          3027         60.6k  0.33  
PROF_DETECT_NONMPMLIST      IPv4      17             8             2616           3505          3031         24.3k  0.13  
PROF_DETECT_ALERT           IPv4       6            20             2553           9616          3046         60.9k  0.33  
PROF_DETECT_ALERT           IPv4      17             8             2567          11889          3969         31.8k  0.17  
PROF_DETECT_CLEANUP         IPv4       6            20             2580           9653          3306         66.1k  0.36  
PROF_DETECT_CLEANUP         IPv4      17             8             2534           6706          3533         28.3k  0.15  
PROF_DETECT_GETSGH          IPv4       6            20             2575          12982          3981         79.6k  0.43  
PROF_DETECT_GETSGH          IPv4      17             8             2769         102778         16502        132.0k  0.72  
PROF_DETECT_IPONLY          IPv6      17             2             6896          17026         11961         23.9k  0.13  
PROF_DETECT_RULES           IPv6      17             3            34930         163755         79600        238.8k  1.30  
PROF_DETECT_STATEFUL_CONT    IPv6      17             3             2595           2774          2713          8.1k  0.04  
PROF_DETECT_PREFILTER       IPv6      17             3            24220          59206         38556        115.7k  0.63  
PROF_DETECT_PF_PAYLOAD      IPv6      17             3             8622          40533         21485         64.5k  0.35  
PROF_DETECT_PF_SORT1        IPv6      17             3             2597           4924          3550         10.7k  0.06  
PROF_DETECT_PF_SORT2        IPv6      17             3             2560           3291          2843          8.5k  0.05  
PROF_DETECT_NONMPMLIST      IPv6      17             3             2757           2781          2765          8.3k  0.05  
PROF_DETECT_ALERT           IPv6      17             3             2571           2619          2590          7.8k  0.04  
PROF_DETECT_CLEANUP         IPv6      17             3             2560           3421          2929          8.8k  0.05  
PROF_DETECT_GETSGH          IPv6      17             3             3037          20610          9937         29.8k  0.16  


suricata-4.0.0-etpro-all-alert-2018-11-18-T-01-42-35-11182018.0142-bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap.txt - (410 bytes) - download
1
2
11/18/2018-01:41:40.761160  [**] [1:2010066:14] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.204:49370 -> 185.52.3.248:80
11/18/2018-01:41:40.761160  [**] [1:2010066:14] ET POLICY Data POST to an image file (gif) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.204:51165 -> 185.52.3.248:80


suricata-report-2018-11-18-T-01-42-35-11182018.0142-bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap.txt - (17920 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/dbe307eb2f936094b094812e94f609c356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182018.0142-bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap -vvv -k none
elapsedtime:23.051131
stderr:
stdout:
18/11/2018 -- 01:42:12 - <Info> - Configuration node 'rule-files' redefined.
18/11/2018 -- 01:42:12 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/11/2018 -- 01:42:12 - <Info> - CPUs/cores online: 1
18/11/2018 -- 01:42:12 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32672 and 'request-body-inspect-window' set to 16257 after randomization.
18/11/2018 -- 01:42:12 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33345 and 'response-body-inspect-window' set to 16626 after randomization.
18/11/2018 -- 01:42:12 - <Config> - DNS request flood protection level: 500
18/11/2018 -- 01:42:12 - <Config> - DNS per flow memcap (state-memcap): 524288
18/11/2018 -- 01:42:12 - <Config> - DNS global memcap: 16777216
18/11/2018 -- 01:42:12 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/11/2018 -- 01:42:12 - <Config> - preallocated 1000 hosts of size 136
18/11/2018 -- 01:42:12 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/11/2018 -- 01:42:12 - <Config> - using magic-file /usr/share/file/magic
18/11/2018 -- 01:42:12 - <Config> - Core dump size is unlimited.
18/11/2018 -- 01:42:12 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/11/2018 -- 01:42:12 - <Config> - preallocated 1000 defrag trackers of size 168
18/11/2018 -- 01:42:12 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/11/2018 -- 01:42:12 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/11/2018 -- 01:42:12 - <Config> - stream "memcap": 33554432
18/11/2018 -- 01:42:12 - <Config> - stream "midstream" session pickups: disabled
18/11/2018 -- 01:42:12 - <Config> - stream "async-oneside": disabled
18/11/2018 -- 01:42:12 - <Config> - stream "checksum-validation": disabled
18/11/2018 -- 01:42:12 - <Config> - stream."inline": disabled
18/11/2018 -- 01:42:12 - <Config> - stream "bypass": disabled
18/11/2018 -- 01:42:12 - <Config> - stream "max-synack-queued": 5
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly "memcap": 134217728
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly "depth": 0
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly "toserver-chunk-size": 2641
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly "toclient-chunk-size": 2493
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly.raw: enabled
18/11/2018 -- 01:42:12 - <Config> - stream.reassembly "segment-prealloc": 2048
18/11/2018 -- 01:42:12 - <Config> - Delayed detect disabled
18/11/2018 -- 01:42:12 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/11/2018 -- 01:42:12 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/11/2018 -- 01:42:12 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/11/2018 -- 01:42:12 - <Config> - prefilter engines: MPM
18/11/2018 -- 01:42:12 - <Config> - IP reputation disabled
18/11/2018 -- 01:42:12 - <Perf> - Registered 148 keyword profiling counters.
18/11/2018 -- 01:42:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
18/11/2018 -- 01:42:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
18/11/2018 -- 01:42:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
18/11/2018 -- 01:42:17 - <Config> - No rules loaded from ET-icmp.rules.
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
18/11/2018 -- 01:42:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
18/11/2018 -- 01:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
18/11/2018 -- 01:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
18/11/2018 -- 01:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
18/11/2018 -- 01:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
18/11/2018 -- 01:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
18/11/2018 -- 01:42:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
18/11/2018 -- 01:42:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
18/11/2018 -- 01:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
18/11/2018 -- 01:42:25 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
18/11/2018 -- 01:42:25 - <Config> - No rules loaded from local.rules.
18/11/2018 -- 01:42:25 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
18/11/2018 -- 01:42:25 - <Info> - Threshold config parsed: 0 rule(s) found
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tcp-packet
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tcp-stream
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for udp-packet
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for other-ip
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_uri
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_client_body
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_header
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_header
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_accept
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_accept_enc
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_accept_lang
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_referer
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_connection
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_start
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_start
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_method
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_raw_uri
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_user_agent
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_host
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_raw_host
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_stat_msg
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_stat_code
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for dns_query
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tls_sni
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for file_data
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for file_data
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2018 -- 01:42:26 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2018 -- 01:42:26 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
18/11/2018 -- 01:42:26 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/11/2018 -- 01:42:26 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
18/11/2018 -- 01:42:26 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
18/11/2018 -- 01:42:26 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
18/11/2018 -- 01:42:26 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
18/11/2018 -- 01:42:26 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
18/11/2018 -- 01:42:26 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/11/2018 -- 01:42:31 - <Perf> - Unique rule groups: 104
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toserver TCP packet": 35
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toclient TCP packet": 17
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toserver TCP stream": 33
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toclient TCP stream": 19
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toserver UDP packet": 27
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "toclient UDP packet": 17
18/11/2018 -- 01:42:31 - <Perf> - Builtin MPM "other IP packet": 3
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_uri": 14
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_header": 10
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_header": 6
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_header_names": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_protocol": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_start": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_method": 5
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver http_host": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver tls_sni": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toserver file_data": 1
18/11/2018 -- 01:42:31 - <Perf> - AppLayer MPM "toclient file_data": 7
18/11/2018 -- 01:42:34 - <Perf> - Registered 39590 rule profiling counters.
18/11/2018 -- 01:42:34 - <Info> - fast output device (regular) initialized: alert
18/11/2018 -- 01:42:34 - <Info> - eve-log output device (regular) initialized: eve.json
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'alert'
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'http'
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'dns'
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'tls'
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'files'
18/11/2018 -- 01:42:34 - <Config> - enabling 'eve-log' module 'ssh'
18/11/2018 -- 01:42:34 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/11/2018 -- 01:42:34 - <Info> - stats output device (regular) initialized: stats.log
18/11/2018 -- 01:42:34 - <Config> - Aut

This file has been truncated. Go here to download in full.


stats.log - (2906 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 11/18/2018 -- 01:42:35 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 188
decoder.bytes                              | Total                     | 11380
decoder.ipv4                               | Total                     | 24
decoder.ipv6                               | Total                     | 3
decoder.ethernet                           | Total                     | 188
decoder.tcp                                | Total                     | 16
decoder.udp                                | Total                     | 11
decoder.avg_pkt_size                       | Total                     | 60
decoder.max_pkt_size                       | Total                     | 550
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 5
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.rst                                    | Total                     | 2
detect.alert                               | Total                     | 2
detect.mpm_list                            | Total                     | 10
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 11
app_layer.tx.http                          | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 1
app_layer.tx.dns_udp                       | Total                     | 1
app_layer.flow.failed_udp                  | Total                     | 4
flow.spare                                 | Total                     | 9997
flow_mgr.flows_checked                     | Total                     | 4
flow_mgr.flows_notimeout                   | Total                     | 4
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65532
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (3777 bytes) - download
1
2
3
4
5
6
7
8
{"timestamp":"2018-11-18T01:36:48.631374+0000","flow_id":999231694348878,"pcap_cnt":17,"event_type":"dns","src_ip":"192.168.100.204","src_port":54567,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35190,"rrname":"3499ee61.phpmyadmin.greentechsupply.us","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-18T01:36:48.670613+0000","flow_id":999231694348878,"pcap_cnt":18,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.204","dest_port":54567,"proto":"UDP","dns":{"type":"answer","id":35190,"rcode":"NOERROR","rrname":"3499ee61.phpmyadmin.greentechsupply.us","rrtype":"A","ttl":599,"rdata":"185.52.3.248"}}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":1436794372613534,"event_type":"alert","src_ip":"192.168.100.204","src_port":49370,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2010066,"rev":14,"signature":"ET POLICY Data POST to an image file (gif)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":1436794372613534,"event_type":"http","src_ip":"192.168.100.204","src_port":49370,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"3499ee61.phpmyadmin.greentechsupply.us","url":"\/blank.gif","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":1436794372613534,"event_type":"fileinfo","src_ip":"192.168.100.204","src_port":49370,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","http":{"hostname":"3499ee61.phpmyadmin.greentechsupply.us","url":"\/blank.gif","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/blank.gif","gaps":false,"state":"CLOSED","stored":false,"size":72,"tx_id":0}}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":745167207431240,"event_type":"alert","src_ip":"192.168.100.204","src_port":51165,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2010066,"rev":14,"signature":"ET POLICY Data POST to an image file (gif)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":745167207431240,"event_type":"http","src_ip":"192.168.100.204","src_port":51165,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"3499ee61.phpmyadmin.greentechsupply.us","url":"\/blank.gif","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-18T01:41:40.761160+0000","flow_id":745167207431240,"event_type":"fileinfo","src_ip":"192.168.100.204","src_port":51165,"dest_ip":"185.52.3.248","dest_port":80,"proto":"TCP","http":{"hostname":"3499ee61.phpmyadmin.greentechsupply.us","url":"\/blank.gif","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident\/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/blank.gif","gaps":false,"state":"CLOSED","stored":false,"size":72,"tx_id":0}}


unified2.alert.1542505354 - (1560 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
4[ðÃTH«ÒÀ¨d̹4øÀÚP4[ðÃT[ðÃTHEÖ?À¨d̹4øÀÚPPO?POST /blank.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Age: d1a936efbdf6dd9b
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 3499ee61.phpmyadmin.greentechsupply.us
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

Œ[ðÃT[ðÃTHpEp×çÀ¨d̹4øÀÚPP÷«a=773f0f020b5b0e0e5c0f0d09190e020a0f08190d020e0a0b0d0a0f0a0f0f070d0c0c194[ðÃTH«ÒÀ¨d̹4øÇÝP4[ðÃT[ðÃTHEÖ?À¨d̹4øÇÝPPH<POST /blank.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Age: d1a936efbdf6dd9b
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 3499ee61.phpmyadmin.greentechsupply.us
Content-Length: 72
Connection: Keep-Alive
Cache-Control: no-cache

Œ[ðÃT[ðÃTHpEp×çÀ¨d̹4øÇÝPPð¨a=773f0f020b5b0e0e5c0f0d09190e020a0f08190d020e0a0b0d0a0f0a0f0f070d0c0c19


keyword_perf.log - (10576 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/18/2018 -- 01:42:35
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             616226          186             186             18760           3313.00         3313.00         0.00           
  content          1561185         352             236             77361           4435.00         4644.00         4009.00        
  pcre             425234          44              14              58745           9664.00         8109.00         10390.00       
  byte_test        51922           11              4               18701           4720.00         7567.00         3093.00        
  isdataat         2820            1               0               2820            2820.00         0.00            2820.00        
  flowbits         21547           2               2               17010           10773.00        10773.00        0.00           
  urilen           175895          56              12              3995            3140.00         3134.00         3142.00        
  byte_extract     13162           2               2               9773            6581.00         6581.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             616226          186             186             18760           3313.00         3313.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          174943          40              26              16087           4373.00         4740.00         3692.00        
  pcre             13273           2               0               9578            6636.00         0.00            6636.00        
  byte_test        44612           9               4               18701           4956.00         7567.00         2868.00        
  isdataat         2820            1               0               2820            2820.00         0.00            2820.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         21547           2               2               17010           10773.00        10773.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          128181          36              12              4494            3560.00         3713.00         3484.00        
  pcre             125350          16              0               15923           7834.00         0.00            7834.00        
  urilen           175895          56              12              3995            3140.00         3134.00         3142.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          76877           18              14              14877           4270.00         4504.00         3453.00        
  pcre             40983           4               2               15650           10245.00        6982.00         13509.00       
  byte_test        7310            2               0               3783            3655.00         0.00            3655.00        
  byte_extract     13162           2               2               9773            6581.00         6581.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          860515          178             128             77361           4834.00         5022.00         4353.00        
  pcre             216195          18              8               58745           12010.00        8766.00         14606.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          29907           8               6               4387            3738.00         3753.00         3693.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9001            2               2               4737            4500.00         4500.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          36137           10              8               4965            3613.00         3346.00         4681.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          233384          56              36              22331           4167.00         4216.00         4079.00        
  pcre             29433           4               4               10721           7358.00         7358.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          12240           4               4               3288            3060.00         3060.00         0.00           


suricata-4.0.0-etpro-all-perf.txt-2018-11-18-T-01-42-35-11182018.0142-bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap.txt - (19799 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/18/2018 -- 01:42:35. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2816910      1        2        232260       3.25   2        0        129145      116130.00   0.00        116130.00  
  2        2810991      1        4        140394       1.96   2        0        93599       70197.00    0.00        70197.00   
  3        2022339      1        2        129022       1.80   2        0        92960       64511.00    0.00        64511.00   
  4        2816909      1        2        147374       2.06   2        0        90804       73687.00    0.00        73687.00   
  5        2821148      1        4        110541       1.55   2        0        65188       55270.50    0.00        55270.50   
  6        2023670      1        3        103635       1.45   2        2        61596       51817.50    51817.50    0.00       
  7        2816940      1        2        116142       1.62   2        0        61515       58071.00    0.00        58071.00   
  8        2024848      1        2        99254        1.39   2        0        59828       49627.00    0.00        49627.00   
  9        2017613      1        9        94137        1.32   2        0        59338       47068.50    0.00        47068.50   
  10       2025064      1        5        109297       1.53   2        0        58855       54648.50    0.00        54648.50   
  11       2010066      1        14       97298        1.36   2        2        52247       48649.00    48649.00    0.00       
  12       2816739      1        2        91778        1.28   2        0        51513       45889.00    0.00        45889.00   
  13       2820851      1        5        87366        1.22   2        0        51237       43683.00    0.00        43683.00   
  14       2828122      1        2        83261        1.16   2        0        48757       41630.50    0.00        41630.50   
  15       2819993      1        2        91658        1.28   2        0        47961       45829.00    0.00        45829.00   
  16       2816929      1        4        85557        1.20   2        0        47484       42778.50    0.00        42778.50   
  17       2023315      1        2        92297        1.29   2        0        47407       46148.50    0.00        46148.50   
  18       2022609      1        2        79859        1.12   2        0        46763       39929.50    0.00        39929.50   
  19       2024767      1        2        88891        1.24   2        0        45758       44445.50    0.00        44445.50   
  20       2816327      1        4        77607        1.09   2        0        43816       38803.50    0.00        38803.50   
  21       2809682      1        5        64837        0.91   2        0        43642       32418.50    0.00        32418.50   
  22       2816925      1        3        69472        0.97   2        0        42986       34736.00    0.00        34736.00   
  23       2816526      1        13       69949        0.98   2        0        42266       34974.50    0.00        34974.50   
  24       2814883      1        3        80135        1.12   2        0        41987       40067.50    0.00        40067.50   
  25       2018452      1        15       74717        1.05   2        0        41777       37358.50    0.00        37358.50   
  26       2821561      1        2        68063        0.95   2        0        41168       34031.50    0.00        34031.50   
  27       2022502      1        4        80288        1.12   2        0        40842       40144.00    0.00        40144.00   
  28       2805260      1        4        61688        0.86   2        0        40773       30844.00    0.00        30844.00   
  29       2816356      1        2        69633        0.97   2        0        40549       34816.50    0.00        34816.50   
  30       2811711      1        2        74457        1.04   2        0        40461       37228.50    0.00        37228.50   
  31       2806921      1        3        74240        1.04   2        0        39877       37120.00    0.00        37120.00   
  32       2816525      1        10       72802        1.02   2        0        39767       36401.00    0.00        36401.00   
  33       2003657      1        18       62147        0.87   2        0        39589       31073.50    0.00        31073.50   
  34       2018496      1        9        68823        0.96   2        0        39391       34411.50    0.00        34411.50   
  35       2021038      1        4        64493        0.90   2        0        38881       32246.50    0.00        32246.50   
  36       2819673      1        4        65784        0.92   2        0        38182       32892.00    0.00        32892.00   
  37       2009702      1        5        41148        0.58   2        0        37894       20574.00    0.00        20574.00   
  38       2822241      1        3        70557        0.99   2        0        37890       35278.50    0.00        35278.50   
  39       2801224      1        6        71928        1.01   2        0        37576       35964.00    0.00        35964.00   
  40       2021069      1        2        65921        0.92   2        0        37519       32960.50    0.00        32960.50   
  41       2815817      1        5        66412        0.93   2        0        37448       33206.00    0.00        33206.00   
  42       2017552      1        6        56566        0.79   2        0        36912       28283.00    0.00        28283.00   
  43       2023875      1        2        71392        1.00   2        0        36783       35696.00    0.00        35696.00   
  44       2018358      1        7        71350        1.00   2        0        36556       35675.00    0.00        35675.00   
  45       2823603      1        2        64762        0.91   2        0        36351       32381.00    0.00        32381.00   
  46       2003492      1        30       55238        0.77   2        0        35532       27619.00    0.00        27619.00   
  47       2806959      1        2        68977        0.96   2        0        35519       34488.50    0.00        34488.50   
  48       2022503      1        2        67389        0.94   2        0        35366       33694.50    0.00        33694.50   
  49       2815201      1        2        56192        0.79   2        0        34924       28096.00    0.00        28096.00   
  50       2010140      1        7        75864        1.06   10       0        34228       7586.40     0.00        7586.40    
  51       2019881      1        3        59549        0.83   2        0        33396       29774.50    0.00        29774.50   
  52       2816924      1        4        66325        0.93   2        0        33309       33162.50    0.00        33162.50   
  53       2014380      1        4        87798        1.23   4        0        32874       21949.50    0.00        21949.50   
  54       2019344      1        5        60818        0.85   2        0        32466       30409.00    0.00        30409.00   
  55       2809859      1        6        61172        0.86   2        0        31934       30586.00    0.00        30586.00   
  56       2017259      1        12       59703        0.84   2        0        31465       29851.50    0.00        29851.50   
  57       2018981      1        4        59814        0.84   2        0        30270       29907.00    0.00        29907.00   
  58       2022207      1        4        58846        0.82   2        0        30192       29423.00    0.00        29423.00   
  59       2022220      1        2        59358        0.83   2        0        29689       29679.00    0.00        29679.00   
  60       2812916      1        6        56981        0.80   2        0        29677       28490.50    0.00        28490.50   
  61       2018983      1        7        57603        0.81   2        0        29614       28801.50    0.00        28801.50   
  62       2821615      1        2        56828        0.79   2        0        29584       28414.00    0.00        28414.00   
  63       2016858      1        10       56963        0.80   2        0        29283       28481.50    0.00        28481.50   
  64       2014133      1        4        56566        0.79   2        0        29202       28283.00    0.00        28283.00   
  65       2816055      1        2        56488        0.79   2        0        29056       28244.00    0.00        28244.00   
  66       2022262      1        3        56246        0.79   2        0        28835       28123.00    0.00        28123.00   
  67       2019693      1        5        56338        0.79   2        0        28678       28169.00    0.00        28169.00   
  68       2816927      1        3        55577        0.78   2        0        28586       27788.50    0.00        27788.50   
  69       2815324      1        2        54736        0.77   2        0        28359       27368.00    0.00        27368.00   
  70       2816328      1        5        55923        0.78   2        0        28293       27961.50    0.00        27961.50   
  71       2816922      1        5        54002        0.76   2        0        28223       27001.00    0.00        27001.00   
  72       2806132      1        3        55352        0.77   2        0        28054       27676.00    0.00        27676.00   
  73       2820031      1        2        54051        0.76   2        0        27977       27025.50    0.00        27025.50   
  74       2018242      1        5        54617        0.76   2        0        27608       27308.50    0.00        27308.50   
  75       2011894      1        19       54346        0.76   2        0        27606       27173.00    0.00        27173.00   
  76       2816928      1        3        53013        0.74   2        0        27188       26506.50    0.00        26506.50   
  77       2816931      1        3        53593        0.75   2        0        26797       26796.50    0.00        26796.50   
  78       2816930      1        4        51987        0.73   2        0        26331       25993.50    0.00        25993.50   
  79       2810084      1        2        46858        0.66   2        0        25367       23429.00    0.00        23429.00   
  80       2012612      1        16       44602        0.62   2        0        23449       22301.00    0.00        22301.00   
  81       2014701      1        12       26806        0.37   2        0        23412       13403.00    0.00        13403.00   
  82       2022049      1        3        43214        0.60   2        0        22480       21607.00    0.00        21607.00   
  83       2809547      1        5        42637        0.60   2        0        22472       21318.50    0.00        21318.50   
  84       2024178      1        2        43176        0.60   2        0        22405       21588.00    0.00        21588.00   
  85       2816669      1        4        43360        0.61   2        0        22403       21680.00    0.00        21680.00   
  86       2826256      1        2        42544        0.60   2        0        22145       21272.00    0.00        21272.00   
  87       2018958      1        18       43424        0.61   2        0        22144       21712.00    0.00        21712.00   
  88       2022199      1        2        42324        0.59   2        0        21946       21162.00    0.00        21162.00   
  89       2816165      1        5        41610        0.58   2        0        21742       20805.00    0.00        20805.00   
  90       2018010      1        5        41691        0.58   2        0        21738       20845.50    0.00        20845.50   
  91       2827279      1        5        42080        0.59   2        0        21729       21040.00    0.00        21040.00   
  92       2827580      1        7        41971        0.59   2        0        21701       20985.50    0.00        20985.50   
  93       2016223      1        10       41183        0.58   2        0        21331       20591.50    0.00        20591.50   
  94       2804626      1        9        42149        0.59   2        0        21294       21074.50    0.00        21074.50   
  95       2819785      1        2        41549        0.58   2        0        21088       20774.50    0.00        20774.50   
  96       2020705      1        4        40795        0.57   2        0        20803       20397.50    0.00        20397.50   
  97       2828008      1        2        40671        0.57   2        0        20773       20335.50    0.00        20335.50   
  98       2022543      1        1        19532        0.27   1        0        19532       19532.00    0.00        19532.00   
  99       2803760      1        3        16952        0.24   1        0        16952       16952.00    0.00        16952.00   
  100      2811539      1        1        20727        0.29   2        0        16723       10363.50    0.00        10363.50   
  101      2826281      1        2        16472        0.23   1        0        16472       16472.00    0.00        16472.00   
  102      2014702      1        9        17747        0.25   2        0        14796       8873.50     0.00        8873.50    
  103      2014703      1        9        18351        0.26   2        0        14520       9175.50     0.00        9175.50    
  104      2020388      1        8        7897         0.11   2        0        4225        3948.50     0.00        3948.50    
  105      2823788      1        4        4089         0.06   1        0        4089        4089.00     0.00        4089.00    
  106      2100540      1        12       13551        0.19   4        0        3879        3387.75     0.00        3387.75    
  107      2804587      1        2        7206         0.10   2        0        3868        3603.00     0.00        3603.00    
  108      2804589      1        3        6867         0.10   2        0        3779        3433.50     0.00        3433.50    
  109      2008116      1        4        6901         0.10   2        0        3757        3450.50     0.00        3450.50    
  110      2008120      1        4        32000        0.45   11       0        3710        2909.09     0.00        2909.09    
  111      2025200      1        1        6891         0.10   2        0        3579        3445.50     0.00        3445.50    
  112      2013739      1        15       24868        0.35   9        0        3478        2763.11     0.00        2763.11    
  113      2010143      1        3        28811        0.40   10       0        3468        2881.10     0.00        2881.10    
  114      2810794      1        5        6215         0.09   2        0        3462        3107.50     0.00        3107.50    
  115      2023624      1        3        19370        0.27   7        0        3383        2767.14     0.00        2767.14    
  116      2100518      1        8        6061         0.08   2        0        3383        3030.50     0.00        3030.50    
  117      2811445      1        4        6315         0.09   2        0        3327        3157.50     0.00        3157.50    
  118      2013926      1        8        6244         0.09   2        0        3317        3122.00     0.00        3122.00    
  119      2008117      1        3        3291         0.05   1        0        3291        3291.00     0.00        3291.00    
  120      2828876      1        1        17996        0.25   6        0        3288        2999.33     0.00        2999.33    
  121      2801347      1        5        5827         0.08   2        0        3287        2913.50     0.00        2913.50    
  122      2802205      1        3        6212         0.09   2        0        3270        3106.00     0.00        3106.00    
  123      2009243      1        2        6345         0.09   2        0        3266        3172.50     0.00        3172.50    
  124      2023626      1        3        16904        0.24   6        0        3262        2817.33     0.00        2817.33    
  125      2023622      1        3        

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2018-11-18 01:42:11,450 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-18 01:42:12,254 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-18 01:42:12,254 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-11-18 01:42:12,255 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-18 01:42:12,255 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-18 01:42:12,255 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/dbe307eb2f936094b094812e94f609c356b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182018.0142-bbde72ac-e2d0-49df-981c-52bf1ebcc633.pcap -vvv -k none
2018-11-18 01:42:35,309 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-18 01:42:35,309 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.8699669838