Filename: 44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 22.4865651131 seconds
Hash: dd4517551ee46094d4d7c344878a5e76
Uploaded: 1553267276

Logfiles


packet_stats.log - (19563 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       2             6        281032799      297301571     291560901          1.7b    0.21
 IPv4       6          3559          3822569      379465662     225428545        802.3b   96.68
 IPv4      17            71          4468397      373069008     219437175         15.6b    1.88
 IPv6      17            30          4181402      295365202     214319581          6.4b    0.77
 IPv6      58            13        280942917      297365349     293239817          3.8b    0.46
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       2             6            90324         125488        101535        609.2k    0.11
TMM_FLOWWORKER              IPv4       6          3559            70681       15623150        139368        496.0m   86.25
TMM_FLOWWORKER              IPv4      17            71           118687        8852959        319999         22.7m    3.95
TMM_RECEIVEPCAPFILE         IPv4       2             6             2555           2789          2603         15.6k    0.00
TMM_RECEIVEPCAPFILE         IPv4       6          3558             2551       14462834          7068         25.2m    4.37
TMM_RECEIVEPCAPFILE         IPv4      17            71             2553          27426          3058        217.1k    0.04
TMM_DECODEPCAPFILE          IPv4       2             6             2748           4350          3423         20.5k    0.00
TMM_DECODEPCAPFILE          IPv4       6          3558             2656        8393018          6696         23.8m    4.14
TMM_DECODEPCAPFILE          IPv4      17            71             2681           3754          2810        199.5k    0.03
TMM_FLOWWORKER              IPv6      17            30           108749         389175        165188          5.0m    0.86
TMM_FLOWWORKER              IPv6      58            13            66949         133992         81214          1.1m    0.18
TMM_RECEIVEPCAPFILE         IPv6      17            30             2555          10251          2972         89.2k    0.02
TMM_RECEIVEPCAPFILE         IPv6      58            13             2566           3603          2677         34.8k    0.01
TMM_DECODEPCAPFILE          IPv6      17            30             2698          29919          3897        116.9k    0.02
TMM_DECODEPCAPFILE          IPv6      58            13             2811          12429          4151         54.0k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          3558             2730       13870271          8612         30.6m  6.73  
flow                    IPv4      17            71             2681          20186          3763        267.2k  0.06  
stream                  IPv4       6          3559             2799         501648          5987         21.3m  4.68  
app-layer               IPv4      17            71             2529          44561          5991        425.4k  0.09  
detect                  IPv4       2             6            84638         119952         95863        575.2k  0.13  
detect                  IPv4       6          3559            47360       15592303        104984        373.6m  82.12 
detect                  IPv4      17            71           102489         595851        170500         12.1m  2.66  
tcp-prune               IPv4       6          3559             2548         119474          2942         10.5m  2.30  
flow                    IPv6      17            30             2835          12832          4770        143.1k  0.03  
flow                    IPv6      58            13             2866           5394          3366         43.8k  0.01  
app-layer               IPv6      17            30             2549          26790          5833        175.0k  0.04  
detect                  IPv6      17            30            92359         329341        143228          4.3m  0.94  
detect                  IPv6      58            13            55708         122237         69467        903.1k  0.20  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             2             9565          57973         33769         67.5k  29.46 
tls                     IPv4       6             2             3026           4728          3877          7.8k  3.38  
tls                     IPv4      17             5             3026           3336          3088         15.4k  6.74  
dns                     IPv4      17            11             4891          32603          9829        108.1k  47.17 
tls                     IPv6      17             5             3026           3336          3088         15.4k  6.74  
dns                     IPv6      17             3             4976           4976          4976         14.9k  6.51  
Proto detect            IPv4      17            19             2783          18675          5612        106.6k
Proto detect            IPv6      17            11             2912          19941          5234         57.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           126792         126792        126792        126.8k  1.26  
LOGGER_UNIFIED2             IPv4       6             1           129444         129444        129444        129.4k  1.29  
LOGGER_JSON_ALERT           IPv4       6             1            98207          98207         98207         98.2k  0.98  
LOGGER_JSON_DNS             IPv4      17             8            35845        8324605       1133868          9.1m  90.18 
LOGGER_JSON_HTTP            IPv4       6             2            94717         195474        145095        290.2k  2.88  
LOGGER_JSON_TLS             IPv4       6             1            45703          45703         45703         45.7k  0.45  
LOGGER_JSON_FILE            IPv4       6             3            77840         129960         99312        297.9k  2.96  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            95             2634         104344         24529         2.3m  10.70 
payload                           IPv4      17            71             3153          60335          7864       558.4k  2.56  
stream                            IPv4       6            95             2549         444442         44470         4.2m  19.39 
http_uri                          IPv4       6             2             5572          31102         18337        36.7k  0.17  
http_request_line                 IPv4       6             2             6836           8624          7730        15.5k  0.07  
http_client_body                  IPv4       6             3             5133          16935          9887        29.7k  0.14  
http_header (request)             IPv4       6             2            68800          87243         78021       156.0k  0.72  
http_header (request trailer)     IPv4       6             2             2664           3693          3178         6.4k  0.03  
http_header_names (request)       IPv4       6             2            19353          20712         20032        40.1k  0.18  
http_accept (request)             IPv4       6             2             6533           7132          6832        13.7k  0.06  
http_referer (request)            IPv4       6             2             3595           4240          3917         7.8k  0.04  
http_content_len (request)        IPv4       6             2             3448           6489          4968         9.9k  0.05  
http_content_type (request)       IPv4       6             2             3478          13941          8709        17.4k  0.08  
http_protocol (request)           IPv4       6             2             6494           8003          7248        14.5k  0.07  
http_start (request)              IPv4       6             2            14704          14797         14750        29.5k  0.14  
http_raw_header (request)         IPv4       6             3            12706          16609         14973        44.9k  0.21  
http_method                       IPv4       6             2             7185           7397          7291        14.6k  0.07  
http_cookie (request)             IPv4       6             2             3560           4633          4096         8.2k  0.04  
http_raw_uri                      IPv4       6             2             2982           8231          5606        11.2k  0.05  
http_user_agent                   IPv4       6             2            23050          41129         32089        64.2k  0.29  
http_host                         IPv4       6             2             7686           9500          8593        17.2k  0.08  
dns_query                         IPv4      17             4             7232          12823          9757        39.0k  0.18  
tls_sni                           IPv4       6             1             8254           8254          8254         8.3k  0.04  
http_response_line                IPv4       6             2             9309          10849         10079        20.2k  0.09  
http_header (response)            IPv4       6             2            50832          54078         52455       104.9k  0.48  
http_header (response trailer)    IPv4       6             2             3612           3956          3784         7.6k  0.03  
http_content_type (response)      IPv4       6             2             9416          22847         16131        32.3k  0.15  
http_raw_header (response)        IPv4       6            76             9459          23110         10322       784.5k  3.60  
http_cookie (response)            IPv4       6             2             4470          11175          7822        15.6k  0.07  
http_stat_code                    IPv4       6             2             4383           5085          4734         9.5k  0.04  
tls_cert_issuer                   IPv4       6             1             7331           7331          7331         7.3k  0.03  
tls_cert_subject                  IPv4       6             1             5450           5450          5450         5.4k  0.03  
tls_cert_serial                   IPv4       6             1             7035           7035          7035         7.0k  0.03  
file_data (http response)         IPv4       6            74             2588        1553364        172575        12.8m  58.61 
Total                             IPv4                   469                                         45763        21.5m
payload                           IPv6      17            30             3234          46398          9283       278.5k  1.28  
payload                           IPv6      58            13             2753          10283          3631        47.2k  0.22  
Total                             IPv6                    43                                          7574       325.7k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       2             6            36534          70913         47394        284.4k  0.08  
PROF_DETECT_IPONLY          IPv4       6             6             9337          68748         37545        225.3k  0.06  
PROF_DETECT_IPONLY          IPv4      17            19            37217          93614         48230        916.4k  0.25  
PROF_DETECT_RULES           IPv4       2             6             2540           2741          2597         15.6k  0.00  
PROF_DETECT_RULES           IPv4       6          3559             2532        5416880         18348         65.3m  18.17 
PROF_DETECT_RULES           IPv4      17            71            44290         346437         83983          6.0m  1.66  
PROF_DETECT_STATEFUL_START    IPv4       6            73             5114        3707398        479168         35.0m  9.73  
PROF_DETECT_STATEFUL_CONT    IPv4       2             6             2768           3163          2881         17.3k  0.00  
PROF_DETECT_STATEFUL_CONT    IPv4       6          3559             2522         758436          6738         24.0m  6.67  
PROF_DETECT_STATEFUL_CONT    IPv4      17            71             2619          44483          4039        286.8k  0.08  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          3547             2554        6545876          4558         16.2m  4.50  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             8             2833           3949          3160         25.3k  0.01  
PROF_DETECT_PREFILTER       IPv4       2             6             7949           8720          8205         49.2k  0.01  
PROF_DETECT_PREFILTER       IPv4       6          3559             8196        7277846         27816         99.0m  27.54 
PROF_DETECT_PREFILTER       IPv4      17            71            23904          87072         31955          2.3m  0.63  
PROF_DETECT_PF_PAYLOAD      IPv4       6            95            13204         486488         77486          7.4m  2.05  
PROF_DETECT_PF_PAYLOAD      IPv4      17            71             8283          65884         13220        938.7k  0.26  
PROF_DETECT_PF_TX           IPv4       6          3547             2558        1571542          7211         25.6m  7.12  
PROF_DETECT_PF_TX           IPv4      17             4            12842          18649         15929         63.7k  0.02  
PROF_DETECT_PF_SORT1        IPv4       6            54             2601          24361          6461        348.9k  0.10  
PROF_DETECT_PF_SORT1        IPv4      17            71             2573          35085          3587        254.7k  0.07  
PROF_DETECT_PF_SORT2        IPv4       2             6             2524           2807          2626         15.8k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          3559             2523          51051          2730          9.7m  2.70  
PROF_DETECT_PF_SORT2        IPv4      17            71             2558          15199          2961        210.3k  0.06  
PROF_DETECT_NONMPMLIST      IPv4       2             6             2750           2919          2817         16.9k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6          3559             2542          53533          2945         10.5m  2.92  
PROF_DETECT_NONMPMLIST      IPv4      17            71             2536           4520          2867        203.6k  0.06  
PROF_DETECT_ALERT           IPv4       2             6             2533           2956          2611         15.7k  0.00  
PROF_DETECT_ALERT           IPv4       6          3559             2527          34732          2744          9.8m  2.72  
PROF_DETECT_ALERT           IPv4      17            71             2529          17839          3071        218.1k  0.06  
PROF_DETECT_CLEANUP         IPv4       2             6             2519           2914          2595         15.6k  0.00  
PROF_DETECT_CLEANUP  

This file has been truncated. Go here to download in full.


stats.log - (2769 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
------------------------------------------------------------------------------------
Date: 3/22/2019 -- 15:08:19 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 3902
decoder.bytes                              | Total                     | 3820153
decoder.ipv4                               | Total                     | 3635
decoder.ipv6                               | Total                     | 43
decoder.ethernet                           | Total                     | 3902
decoder.tcp                                | Total                     | 3558
decoder.udp                                | Total                     | 101
decoder.icmpv6                             | Total                     | 13
decoder.avg_pkt_size                       | Total                     | 979
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 3
flow.udp                                   | Total                     | 26
flow.icmpv6                                | Total                     | 4
tcp.sessions                               | Total                     | 3
tcp.syn                                    | Total                     | 3
tcp.synack                                 | Total                     | 3
tcp.rst                                    | Total                     | 1
detect.alert                               | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
app_layer.flow.http                        | Total                     | 2
app_layer.tx.http                          | Total                     | 2
app_layer.flow.tls                         | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 4
app_layer.tx.dns_udp                       | Total                     | 4
app_layer.flow.failed_udp                  | Total                     | 22
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7077184


eve.json - (7520 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
{"timestamp":"2019-03-22T11:04:40.911055+0000","flow_id":192538036725455,"pcap_cnt":26,"event_type":"dns","src_ip":"192.168.100.124","src_port":53607,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64718,"rrname":"www.triosalud.cl","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-22T11:04:40.911330+0000","flow_id":192538036725455,"pcap_cnt":27,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":53607,"proto":"UDP","dns":{"type":"answer","id":64718,"rcode":"NOERROR","rrname":"www.triosalud.cl","rrtype":"CNAME","ttl":4068,"rdata":"triosalud.cl"}}
{"timestamp":"2019-03-22T11:04:40.911330+0000","flow_id":192538036725455,"pcap_cnt":27,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":53607,"proto":"UDP","dns":{"type":"answer","id":64718,"rcode":"NOERROR","rrname":"triosalud.cl","rrtype":"A","ttl":4068,"rdata":"190.107.177.246"}}
{"timestamp":"2019-03-22T11:04:40.975561+0000","flow_id":565714860119425,"pcap_cnt":35,"event_type":"tls","src_ip":"192.168.100.124","src_port":49207,"dest_ip":"190.107.177.246","dest_port":443,"proto":"TCP","tls":{"subject":"CN=190.107.177.246","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-03-22T11:06:12.998386+0000","flow_id":743569461885938,"pcap_cnt":3578,"event_type":"dns","src_ip":"192.168.100.124","src_port":58515,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":22881,"rrname":"teredo.ipv6.microsoft.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-22T11:06:12.998589+0000","flow_id":743569461885938,"pcap_cnt":3579,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":58515,"proto":"UDP","dns":{"type":"answer","id":22881,"rcode":"NXDOMAIN","rrname":"teredo.ipv6.microsoft.com"}}
{"timestamp":"2019-03-22T11:07:21.656862+0000","flow_id":2039416934172126,"pcap_cnt":3646,"event_type":"dns","src_ip":"192.168.100.124","src_port":56460,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9429,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-22T11:07:21.670247+0000","flow_id":2039416934172126,"pcap_cnt":3647,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":56460,"proto":"UDP","dns":{"type":"answer","id":9429,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":24,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-03-22T11:07:21.670247+0000","flow_id":2039416934172126,"pcap_cnt":3647,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":56460,"proto":"UDP","dns":{"type":"answer","id":9429,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":29,"rdata":"dual-a-0001.a-msedge.net"}}
{"timestamp":"2019-03-22T11:07:21.670247+0000","flow_id":2039416934172126,"pcap_cnt":3647,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":56460,"proto":"UDP","dns":{"type":"answer","id":9429,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":5,"rdata":"204.79.197.200"}}
{"timestamp":"2019-03-22T11:07:21.670247+0000","flow_id":2039416934172126,"pcap_cnt":3647,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":56460,"proto":"UDP","dns":{"type":"answer","id":9429,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":5,"rdata":"13.107.21.200"}}
{"timestamp":"2019-03-22T11:07:22.174783+0000","flow_id":488628797663168,"pcap_cnt":3773,"event_type":"http","src_ip":"192.168.100.124","src_port":49157,"dest_ip":"204.79.197.200","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.bing.com","url":"\/","http_user_agent":"Mozilla\/3.0 (compatible; Indy Library)","http_content_type":"text\/html"}}
{"timestamp":"2019-03-22T11:07:22.340314+0000","flow_id":1937218187440474,"pcap_cnt":3775,"event_type":"dns","src_ip":"192.168.100.124","src_port":58659,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45937,"rrname":"www.triosalud.cl","rrtype":"A","tx_id":0}}
{"timestamp":"2019-03-22T11:07:22.340466+0000","flow_id":1937218187440474,"pcap_cnt":3776,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":58659,"proto":"UDP","dns":{"type":"answer","id":45937,"rcode":"NOERROR","rrname":"www.triosalud.cl","rrtype":"CNAME","ttl":3906,"rdata":"triosalud.cl"}}
{"timestamp":"2019-03-22T11:07:22.340466+0000","flow_id":1937218187440474,"pcap_cnt":3776,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.124","dest_port":58659,"proto":"UDP","dns":{"type":"answer","id":45937,"rcode":"NOERROR","rrname":"triosalud.cl","rrtype":"A","ttl":3906,"rdata":"190.107.177.246"}}
{"timestamp":"2019-03-22T11:07:22.364552+0000","flow_id":488628797663168,"pcap_cnt":3778,"event_type":"fileinfo","src_ip":"204.79.197.200","src_port":80,"dest_ip":"192.168.100.124","dest_port":49157,"proto":"TCP","http":{"hostname":"www.bing.com","url":"\/","http_user_agent":"Mozilla\/3.0 (compatible; Indy Library)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":90995},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":90995,"tx_id":0}}
{"timestamp":"2019-03-22T11:07:24.994157+0000","flow_id":943324100440953,"pcap_cnt":3790,"event_type":"alert","src_ip":"192.168.100.124","src_port":49158,"dest_ip":"190.107.177.246","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2812961,"rev":2,"signature":"ETPRO TROJAN Trojan\/Banker.Bancos.deq Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-03-22T11:07:24.994157+0000","flow_id":943324100440953,"pcap_cnt":3790,"event_type":"fileinfo","src_ip":"192.168.100.124","src_port":49158,"dest_ip":"190.107.177.246","dest_port":80,"proto":"TCP","http":{"hostname":"www.triosalud.cl","url":"\/wp\/wp-content\/uploads\/2019\/03\/up.php","http_user_agent":"Mozilla\/3.0 (compatible; Indy Library)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":5},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/uploads\/2019\/03\/up.php","gaps":false,"state":"CLOSED","stored":false,"size":26,"tx_id":0}}
{"timestamp":"2019-03-22T11:07:25.018570+0000","flow_id":943324100440953,"pcap_cnt":3792,"event_type":"http","src_ip":"192.168.100.124","src_port":49158,"dest_ip":"190.107.177.246","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.triosalud.cl","url":"\/wp\/wp-content\/uploads\/2019\/03\/up.php","http_user_agent":"Mozilla\/3.0 (compatible; Indy Library)","http_content_type":"text\/html"}}
{"timestamp":"2019-03-22T11:07:25.018570+0000","flow_id":943324100440953,"pcap_cnt":3792,"event_type":"fileinfo","src_ip":"190.107.177.246","src_port":80,"dest_ip":"192.168.100.124","dest_port":49158,"proto":"TCP","http":{"hostname":"www.triosalud.cl","url":"\/wp\/wp-content\/uploads\/2019\/03\/up.php","http_user_agent":"Mozilla\/3.0 (compatible; Indy Library)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":5},"app_proto":"http","fileinfo":{"filename":"\/wp\/wp-content\/uploads\/2019\/03\/up.php","gaps":false,"state":"CLOSED","stored":false,"size":5,"tx_id":0}}


suricata-report-2019-03-22-T-15-08-19-03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap.txt - (17818 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/dd4517551ee46094d4d7c344878a5e7656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap -vvv -k none
elapsedtime:21.436757
stderr:
stdout:
22/3/2019 -- 15:07:57 - <Info> - Configuration node 'rule-files' redefined.
22/3/2019 -- 15:07:57 - <Notice> - This is Suricata version 4.0.0 RELEASE
22/3/2019 -- 15:07:57 - <Info> - CPUs/cores online: 1
22/3/2019 -- 15:07:57 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32541 and 'request-body-inspect-window' set to 16730 after randomization.
22/3/2019 -- 15:07:57 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32648 and 'response-body-inspect-window' set to 15998 after randomization.
22/3/2019 -- 15:07:57 - <Config> - DNS request flood protection level: 500
22/3/2019 -- 15:07:57 - <Config> - DNS per flow memcap (state-memcap): 524288
22/3/2019 -- 15:07:57 - <Config> - DNS global memcap: 16777216
22/3/2019 -- 15:07:57 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
22/3/2019 -- 15:07:57 - <Config> - preallocated 1000 hosts of size 136
22/3/2019 -- 15:07:57 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
22/3/2019 -- 15:07:57 - <Config> - using magic-file /usr/share/file/magic
22/3/2019 -- 15:07:57 - <Config> - Core dump size is unlimited.
22/3/2019 -- 15:07:57 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
22/3/2019 -- 15:07:57 - <Config> - preallocated 1000 defrag trackers of size 168
22/3/2019 -- 15:07:57 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
22/3/2019 -- 15:07:57 - <Config> - stream "prealloc-sessions": 2048 (per thread)
22/3/2019 -- 15:07:57 - <Config> - stream "memcap": 33554432
22/3/2019 -- 15:07:57 - <Config> - stream "midstream" session pickups: disabled
22/3/2019 -- 15:07:57 - <Config> - stream "async-oneside": disabled
22/3/2019 -- 15:07:57 - <Config> - stream "checksum-validation": disabled
22/3/2019 -- 15:07:57 - <Config> - stream."inline": disabled
22/3/2019 -- 15:07:57 - <Config> - stream "bypass": disabled
22/3/2019 -- 15:07:57 - <Config> - stream "max-synack-queued": 5
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly "memcap": 134217728
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly "depth": 0
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly "toserver-chunk-size": 2608
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly "toclient-chunk-size": 2590
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly.raw: enabled
22/3/2019 -- 15:07:57 - <Config> - stream.reassembly "segment-prealloc": 2048
22/3/2019 -- 15:07:57 - <Config> - Delayed detect disabled
22/3/2019 -- 15:07:57 - <Config> - pattern matchers: MPM: ac, SPM: bm
22/3/2019 -- 15:07:57 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
22/3/2019 -- 15:07:57 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
22/3/2019 -- 15:07:57 - <Config> - prefilter engines: MPM
22/3/2019 -- 15:07:57 - <Config> - IP reputation disabled
22/3/2019 -- 15:07:57 - <Perf> - Registered 148 keyword profiling counters.
22/3/2019 -- 15:07:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
22/3/2019 -- 15:07:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
22/3/2019 -- 15:07:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
22/3/2019 -- 15:08:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
22/3/2019 -- 15:08:03 - <Config> - No rules loaded from ET-icmp.rules.
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
22/3/2019 -- 15:08:03 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
22/3/2019 -- 15:08:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
22/3/2019 -- 15:08:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
22/3/2019 -- 15:08:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
22/3/2019 -- 15:08:08 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
22/3/2019 -- 15:08:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
22/3/2019 -- 15:08:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
22/3/2019 -- 15:08:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
22/3/2019 -- 15:08:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
22/3/2019 -- 15:08:10 - <Config> - No rules loaded from local.rules.
22/3/2019 -- 15:08:10 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
22/3/2019 -- 15:08:10 - <Info> - Threshold config parsed: 0 rule(s) found
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tcp-packet
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tcp-stream
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for udp-packet
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for other-ip
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_uri
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_request_line
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_client_body
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_response_line
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_header
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_header
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_header_names
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_header_names
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_accept
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_accept_enc
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_accept_lang
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_referer
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_connection
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_content_len
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_content_len
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_content_type
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_content_type
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_protocol
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_protocol
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_start
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_start
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_raw_header
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_raw_header
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_method
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_cookie
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_cookie
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_raw_uri
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_user_agent
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_host
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_raw_host
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_stat_msg
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_stat_code
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for dns_query
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tls_sni
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tls_cert_issuer
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tls_cert_subject
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for tls_cert_serial
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for dce_stub_data
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for dce_stub_data
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for ssh_protocol
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for ssh_protocol
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for ssh_software
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for ssh_software
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for file_data
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for file_data
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_request_line
22/3/2019 -- 15:08:11 - <Perf> - using shared mpm ctx' for http_response_line
22/3/2019 -- 15:08:11 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
22/3/2019 -- 15:08:11 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
22/3/2019 -- 15:08:11 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
22/3/2019 -- 15:08:11 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
22/3/2019 -- 15:08:11 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
22/3/2019 -- 15:08:11 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
22/3/2019 -- 15:08:11 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
22/3/2019 -- 15:08:11 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
22/3/2019 -- 15:08:16 - <Perf> - Unique rule groups: 104
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toserver TCP packet": 35
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toclient TCP packet": 17
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toserver TCP stream": 33
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toclient TCP stream": 19
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toserver UDP packet": 27
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "toclient UDP packet": 17
22/3/2019 -- 15:08:16 - <Perf> - Builtin MPM "other IP packet": 3
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_uri": 14
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_request_line": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_client_body": 6
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_response_line": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_header": 10
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_header": 6
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_header_names": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_accept": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_referer": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_content_len": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_content_type": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_content_type": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_protocol": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_start": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_method": 5
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_cookie": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_cookie": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver http_host": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver dns_query": 4
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver tls_sni": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toserver file_data": 1
22/3/2019 -- 15:08:16 - <Perf> - AppLayer MPM "toclient file_data": 7
22/3/2019 -- 15:08:18 - <Perf> - Registered 39590 rule profiling counters.
22/3/2019 -- 15:08:18 - <Info> - fast output device (regular) initialized: alert
22/3/2019 -- 15:08:18 - <Info> - eve-log output device (regular) initialized: eve.json
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'alert'
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'http'
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'dns'
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'tls'
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'files'
22/3/2019 -- 15:08:18 - <Config> - enabling 'eve-log' module 'ssh'
22/3/2019 -- 15:08:18 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
22/3/2019 -- 15:08:18 - <Info> - stats output device (regular) initialized: stats.log
22/3/2019 -- 15:08:18 - <Config> - AutoFP mode using "Hash" flow load balancer
22/3/2019 -- 15:08:18 - <Info> - reading pcap file /var/pcap/03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap
22/3/2019 -- 15:08:18 - <Config> - us

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-03-22-T-15-08-19-03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap.txt - (210 bytes) - download
1
03/22/2019-11:07:24.994157  [**] [1:2812961:2] ETPRO TROJAN Trojan/Banker.Bancos.deq Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.124:49158 -> 190.107.177.246:80


keyword_perf.log - (11819 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 3/22/2019 -- 15:08:19
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             2423924         728             728             24751           3329.00         3329.00         0.00           
  content          20956992        1343            698             219257          15604.00        12067.00        19432.00       
  pcre             3690328         830             21              255106          4446.00         6067.00         4404.00        
  byte_test        176679          48              26              23169           3680.00         4215.00         3048.00        
  isdataat         18039           6               0               3750            3006.00         0.00            3006.00        
  flowbits         5869            1               1               5869            5869.00         5869.00         0.00           
  urilen           83895           22              6               5017            3813.00         4141.00         3690.00        
  byte_extract     13261           2               2               10608           6630.00         6630.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             2423924         728             728             24751           3329.00         3329.00         0.00           
  flowbits         5869            1               1               5869            5869.00         5869.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          981582          226             96              36121           4343.00         4720.00         4064.00        
  pcre             99654           16              7               21379           6228.00         6256.00         6206.00        
  byte_test        176679          48              26              23169           3680.00         4215.00         3048.00        
  isdataat         18039           6               0               3750            3006.00         0.00            3006.00        
  byte_extract     13261           2               2               10608           6630.00         6630.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          518133          103             31              77431           5030.00         4926.00         5075.00        
  pcre             144469          16              7               25485           9029.00         8766.00         9233.00        
  urilen           83895           22              6               5017            3813.00         4141.00         3690.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          73311           16              2               5519            4581.00         4266.00         4627.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7581            2               0               4272            3790.00         0.00            3790.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          17974531        726             366             219257          24758.00        18412.00        31210.00       
  pcre             3389646         791             7               255106          4285.00         3178.00         4295.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1003704         181             139             58563           5545.00         5527.00         5603.00        
  pcre             56559           7               0               14851           8079.00         0.00            8079.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          65360           14              7               5550            4668.00         4718.00         4619.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20772           5               5               4723            4154.00         4154.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          20856           1               1               20856           20856.00        20856.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          129322          33              24              4830            3918.00         4144.00         3316.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          143008          31              26              16302           4613.00         4778.00         3753.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          18832           5               1               4212            3766.00         3334.00         3874.00        


suricata-4.0.0-etpro-all-perf.txt-2019-03-22-T-15-08-19-03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap.txt - (45398 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 3/22/2019 -- 15:08:19. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2822534      1        2        1836301      3.40   4        0        534894      459075.25   0.00        459075.25  
  2        2020865      1        3        1385740      2.57   5        0        445392      277148.00   0.00        277148.00  
  3        2828863      1        2        1155656      2.14   10       0        352171      115565.60   0.00        115565.60  
  4        2806009      1        2        1042549      1.93   6        0        300412      173758.17   0.00        173758.17  
  5        2822533      1        2        716472       1.33   4        0        290047      179118.00   0.00        179118.00  
  6        2025185      1        3        3468305      6.43   24       0        267750      144512.71   0.00        144512.71  
  7        2827748      1        2        1345856      2.50   8        0        252792      168232.00   0.00        168232.00  
  8        2823838      1        2        519221       0.96   4        0        225208      129805.25   0.00        129805.25  
  9        2822531      1        2        1349761      2.50   14       0        221304      96411.50    0.00        96411.50   
  10       2812339      1        2        726196       1.35   4        0        202187      181549.00   0.00        181549.00  
  11       2022524      1        4        192369       0.36   1        0        192369      192369.00   0.00        192369.00  
  12       2809735      1        2        661651       1.23   6        0        171760      110275.17   0.00        110275.17  
  13       2015556      1        21       380883       0.71   4        0        170769      95220.75    0.00        95220.75   
  14       2814836      1        2        751182       1.39   7        0        160622      107311.71   0.00        107311.71  
  15       2810971      1        2        644187       1.19   7        0        146080      92026.71    0.00        92026.71   
  16       2828865      1        2        1479083      2.74   19       0        145567      77846.47    0.00        77846.47   
  17       2829230      1        2        1650126      3.06   19       0        144364      86848.74    0.00        86848.74   
  18       2815292      1        2        317678       0.59   4        0        136280      79419.50    0.00        79419.50   
  19       2808764      1        3        745743       1.38   7        0        132594      106534.71   0.00        106534.71  
  20       2012970      1        2        326999       0.61   4        0        130151      81749.75    0.00        81749.75   
  21       2809666      1        3        1353427      2.51   16       0        118614      84589.19    0.00        84589.19   
  22       2811399      1        2        118384       0.22   1        0        118384      118384.00   0.00        118384.00  
  23       2023476      1        5        115260       0.21   1        0        115260      115260.00   0.00        115260.00  
  24       2807650      1        2        579052       1.07   6        0        114378      96508.67    0.00        96508.67   
  25       2021946      1        2        113125       0.21   1        0        113125      113125.00   0.00        113125.00  
  26       2019833      1        7        112440       0.21   1        0        112440      112440.00   0.00        112440.00  
  27       2807651      1        2        552635       1.02   6        0        106253      92105.83    0.00        92105.83   
  28       2826092      1        2        105081       0.19   1        0        105081      105081.00   0.00        105081.00  
  29       2822095      1        2        358491       0.66   6        0        103665      59748.50    0.00        59748.50   
  30       2017259      1        12       103298       0.19   1        0        103298      103298.00   0.00        103298.00  
  31       2827094      1        2        434136       0.80   5        0        94537       86827.20    0.00        86827.20   
  32       2809745      1        2        532670       0.99   7        0        93916       76095.71    0.00        76095.71   
  33       2815269      1        2        872226       1.62   16       0        91474       54514.12    0.00        54514.12   
  34       2811003      1        3        118456       0.22   2        0        91309       59228.00    0.00        59228.00   
  35       2012312      1        7        121690       0.23   2        0        90938       60845.00    0.00        60845.00   
  36       2822527      1        2        946953       1.76   13       0        88847       72842.54    0.00        72842.54   
  37       2819683      1        2        1099371      2.04   21       0        86657       52351.00    0.00        52351.00   
  38       2815275      1        2        1286370      2.38   24       0        85764       53598.75    0.00        53598.75   
  39       2019832      1        4        85033        0.16   1        0        85033       85033.00    0.00        85033.00   
  40       2809744      1        2        522772       0.97   7        0        83986       74681.71    0.00        74681.71   
  41       2808991      1        5        466129       0.86   6        0        79602       77688.17    0.00        77688.17   
  42       2024099      1        2        126272       0.23   3        0        77591       42090.67    0.00        42090.67   
  43       2021413      1        2        77146        0.14   1        0        77146       77146.00    0.00        77146.00   
  44       2808755      1        5        887202       1.64   13       0        76693       68246.31    0.00        68246.31   
  45       2810961      1        2        862378       1.60   17       0        75855       50728.12    0.00        50728.12   
  46       2811273      1        6        74167        0.14   1        0        74167       74167.00    0.00        74167.00   
  47       2807202      1        2        386695       0.72   7        0        71644       55242.14    0.00        55242.14   
  48       2021418      1        9        71449        0.13   1        0        71449       71449.00    0.00        71449.00   
  49       2809674      1        2        116942       0.22   2        0        71180       58471.00    0.00        58471.00   
  50       2018005      1        6        70449        0.13   1        0        70449       70449.00    0.00        70449.00   
  51       2814832      1        2        903832       1.68   18       0        68105       50212.89    0.00        50212.89   
  52       2016706      1        20       65916        0.12   1        0        65916       65916.00    0.00        65916.00   
  53       2814883      1        3        65295        0.12   1        0        65295       65295.00    0.00        65295.00   
  54       2813098      1        2        100109       0.19   2        0        64164       50054.50    0.00        50054.50   
  55       2812961      1        2        62482        0.12   1        1        62482       62482.00    62482.00    0.00       
  56       2829848      1        2        90591        0.17   2        0        61600       45295.50    0.00        45295.50   
  57       2815266      1        2        362217       0.67   7        0        61429       51745.29    0.00        51745.29   
  58       2812967      1        3        82598        0.15   2        0        61427       41299.00    0.00        41299.00   
  59       2810991      1        4        60208        0.11   1        0        60208       60208.00    0.00        60208.00   
  60       2814734      1        5        87673        0.16   2        0        59640       43836.50    0.00        43836.50   
  61       2814978      1        2        59274        0.11   1        0        59274       59274.00    0.00        59274.00   
  62       2022221      1        3        396582       0.74   8        0        59252       49572.75    0.00        49572.75   
  63       2812969      1        2        85390        0.16   2        0        57721       42695.00    0.00        42695.00   
  64       2017656      1        5        86013        0.16   2        0        57239       43006.50    0.00        43006.50   
  65       2822213      1        2        56691        0.11   1        0        56691       56691.00    0.00        56691.00   
  66       2819993      1        2        55644        0.10   1        0        55644       55644.00    0.00        55644.00   
  67       2830613      1        2        55104        0.10   1        0        55104       55104.00    0.00        55104.00   
  68       2809363      1        3        54658        0.10   1        0        54658       54658.00    0.00        54658.00   
  69       2807970      1        8        54420        0.10   1        0        54420       54420.00    0.00        54420.00   
  70       2809289      1        4        95402        0.18   2        0        53383       47701.00    0.00        47701.00   
  71       2814193      1        3        117249       0.22   3        0        53349       39083.00    0.00        39083.00   
  72       2828844      1        2        94503        0.18   3        0        53225       31501.00    0.00        31501.00   
  73       2014911      1        10       106347       0.20   3        0        53223       35449.00    0.00        35449.00   
  74       2022901      1        2        53142        0.10   1        0        53142       53142.00    0.00        53142.00   
  75       2828845      1        1        91457        0.17   3        0        52802       30485.67    0.00        30485.67   
  76       2805002      1        2        79449        0.15   2        0        52612       39724.50    0.00        39724.50   
  77       2815749      1        2        52286        0.10   1        0        52286       52286.00    0.00        52286.00   
  78       2821471      1        2        52131        0.10   1        0        52131       52131.00    0.00        52131.00   
  79       2017261      1        3        51294        0.10   1        0        51294       51294.00    0.00        51294.00   
  80       2815268      1        2        300264       0.56   7        0        50820       42894.86    0.00        42894.86   
  81       2820002      1        2        82946        0.15   2        0        50398       41473.00    0.00        41473.00   
  82       2809850      1        2        117908       0.22   3        0        50388       39302.67    0.00        39302.67   
  83       2814979      1        2        50234        0.09   1        0        50234       50234.00    0.00        50234.00   
  84       2828701      1        2        87368        0.16   2        0        49185       43684.00    0.00        43684.00   
  85       2827580      1        7        48468        0.09   1        0        48468       48468.00    0.00        48468.00   
  86       2019094      1        5        61055        0.11   2        0        48153       30527.50    0.00        30527.50   
  87       2810962      1        2        322273       0.60   7        0        47974       46039.00    0.00        46039.00   
  88       2814316      1        2        91433        0.17   2        0        47117       45716.50    0.00        45716.50   
  89       2020181      1        8        46920        0.09   1        0        46920       46920.00    0.00        46920.00   
  90       2813068      1        3        81091        0.15   2        0        46893       40545.50    0.00        40545.50   
  91       2821569      1        7        46784        0.09   1        0        46784       46784.00    0.00        46784.00   
  92       2812100      1        3        91122        0.17   2        0        46581       45561.00    0.00        45561.00   
  93       2024771      1        1        469262       0.87   75       0        46370       6256.83     0.00        6256.83    
  94       2810949      1        2        93371        0.17   3        0        45962       31123.67    0.00        31123.67   
  95       2809405      1        2        93215        0.17   3        0        45909       31071.67    0.00        31071.67   
  96       2830703      1        3        250836       0.47   7        0        45845       35833.71    0.00        35833.71   
  97       2022535      1        11       45823        0.08   1        0        45823       45823.00    0.00        45823.00   
  98       2808948      1        3        80790        0.15   2        0        45697       40395.00    0.00        40395.00   
  99       2806802      1        2        512654       0.95   24       0        45620       21360.58    0.00        21360.58   
  100      2814116      1        2        79970        0.15   2        0        45265       39985.00    0.00        39985.00   
  101      2022073      1        2        45084        0.08   1        0        45084       45084.00    0.00        45084.00   
  102      2809675      1        2        79196        0.15   2        0        44991       39598.00    0.00        39598.00   
  103      2022627      1        12       44810        0.08   1        0        44810       44810.00    0.00        44810.00   
  104      2809017      1        3        79763        0.15   2        0        44782       39881.50    0.00        39881.50   
  105      2812433      1        2        44771        0.08   1        0        44771       44771.00    0.00        44771.00   
  106      2820319      1        2        79194        0.15   2        0        44342       39597.00    0.00        39597.00   
  107      2815476      1        6        44191        0.08   1        0        44191       44191.00    0.00        44191.00   
  108      2809511      1        4        43813        0.08   1        0        43813       43813.00    0.00        43813.00   
  109      2810913      1        2        79241        0.15   2        0        43500       39620.50    0.00        39620.50   
  110      2816892      1        3        79600        0.15   2        0        43484       39800.00    0.00        39800.00   
  111      2811275      1        8        42902        0.08   1        0        42902       42902.00    0.00        42902.00   
  112      2017967      1        3        42597        0.08   1        0        42597       42597.00    0.00        42597.00   
  113      2809313      1        2        265795       0.49   7        0        40879       37970.71    0.00        37970.71   
  114      2007913      1        7        69813        0.13   2        0        39997       34906.50    0.00        34906.50   
  115      2017552      1        6        732622       1.36   47       0        39692       15587.70    0.00        15587.70   
  116      2009243      1        2        81836        0.15   15       0        39501       5455.73     0.00        5455.73    
  117      2805001      1        2        73782        0.14   2        0        39277       36891.00    0.00        36891.00   
  118      2007863      1        9        82485        0.15   3        0        39276       27495.00    0.00        27495.00   
  119      2828986      1        2        68856        0.13   2        0        38911       34428.00    0.00        34428.00   
  120      2009471      1        9        89060        0.17   3        0        38854       29686.67    0.00        29686.67   
  121      2022694      1        2        68760        0.13   2        0        38711       34380.00    0.00        34380.00   
  122      2815568      1        2        38593        0.07   1        0        38593       38593.00    0.00        38593.00   
  123      2811867      1        2        67396        0.12   2        0        38549       33698.00    0.00        33698.00   
  124      2828060      1        4        68770        0.13   2        0        38544       34385.00    0.00        34385.00   
  125      2826697      1        2        6

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1176 bytes) - download
1
2
3
4
5
6
7
8
2019-03-22 15:07:57,060 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-03-22 15:07:57,838 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-03-22 15:07:57,838 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-03-22 15:07:57,839 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-03-22 15:07:57,839 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-03-22 15:07:57,839 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/dd4517551ee46094d4d7c344878a5e7656b33745cb75ec8c950e11a498e082d2 -r /var/pcap/03222019.1507-44c1463c-cda3-4a46-a14a-2cbcc42c12cc.pcap -vvv -k none
2019-03-22 15:08:19,278 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-03-22 15:08:19,278 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 22.2265219688


unified2.alert.1553267298 - (514 bytes) - download
1
2
3
4
5
6
7
8
9
4\”Áì+m*ì!À¨d|¾k±öÀPJ\”Áì\”Áì+m.E $RÀ¨d|¾k±öÀPPé>POST /wp/wp-content/uploads/2019/03/up.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Host: www.triosalud.cl
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

l\”Áì\”Áì+mPEB%0À¨d|¾k±öÀPPkápcnome=Windows+7+%2F++%2F+