Filename: 2018-11-23-Emotet-infection-with-Gootkit.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etproenall-all
Runtime: 34.3393368721 seconds
Hash: e0350bf4bf277b51967d5ff5e696872f
Uploaded: 1543039531

Logfiles


packet_stats.log - (13525 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         11192          5823226     4931961146    3072784605      34390.6b   99.90
 IPv4      17            14         13750270     3743268289    2562064397         35.9b    0.10
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         11192           194402       32652260        488400          5.5b   96.19
TMM_FLOWWORKER              IPv4      17            14          1352789       49842647       7675835        107.5m    1.89
TMM_RECEIVEPCAPFILE         IPv4       6         11165             2532       18381287          4743         53.0m    0.93
TMM_RECEIVEPCAPFILE         IPv4      17            14             2579           9940          3538         49.5k    0.00
TMM_DECODEPCAPFILE          IPv4       6         11165             2647        9631192          5028         56.1m    0.99
TMM_DECODEPCAPFILE          IPv4      17            14             2709          25101          5302         74.2k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         11165             2695         744583          3483         38.9m  0.72  
flow                    IPv4      17            14             3434          41420          8221        115.1k  0.00  
stream                  IPv4       6         11192             2597         748266          8337         93.3m  1.74  
app-layer               IPv4      17            14            12516         111688         31241        437.4k  0.01  
detect                  IPv4       6         11192           171660       32590575        456427          5.1b  95.06 
detect                  IPv4      17            14          1194563       49101160       6833866         95.7m  1.78  
tcp-prune               IPv4       6         11192             2525         776129          3309         37.0m  0.69  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            12             3514          65881         24722        296.7k  53.25 
tls                     IPv4       6            31             2610           4997          3256        100.9k  18.12 
dns                     IPv4      17            14             6292          47676         11391        159.5k  28.63 
Proto detect            IPv4       6             4             3472          10304          5839         23.4k
Proto detect            IPv4      17            14             8222          50998         22154        310.2k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            37            21672         140309         72323          2.7m  10.60 
LOGGER_ALERT_FAST           IPv4      17             6            27726         187081         92595        555.6k  2.20  
LOGGER_UNIFIED2             IPv4       6            37            29327         147884         67402          2.5m  9.88  
LOGGER_UNIFIED2             IPv4      17             6            26586         112860         47296        283.8k  1.12  
LOGGER_JSON_ALERT           IPv4       6            37            64057         213733        104269          3.9m  15.29 
LOGGER_JSON_ALERT           IPv4      17             6            58402        7533281       1320966          7.9m  31.41 
LOGGER_JSON_DNS             IPv4      17            14            34423         659724        146788          2.1m  8.14  
LOGGER_JSON_HTTP            IPv4       6            18            44132         203589         95449          1.7m  6.81  
LOGGER_JSON_TLS             IPv4       6            16            65831         175167        112106          1.8m  7.11  
LOGGER_JSON_FILE            IPv4       6            14            58246         275096        134090          1.9m  7.44  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1676             2590        6200424         56901        95.4m  14.45 
payload                           IPv4      17            14            38980         386406        151061         2.1m  0.32  
stream                            IPv4       6          1676             2549         891580        102640       172.0m  26.06 
http_uri                          IPv4       6            18             6905          48611         11121       200.2k  0.03  
http_request_line                 IPv4       6            18             5610          45907          9554       172.0k  0.03  
http_client_body                  IPv4       6            18             3387           5166          4067        73.2k  0.01  
http_header (request)             IPv4       6            18            94949         181949        114476         2.1m  0.31  
http_header (request trailer)     IPv4       6            18             2614           3566          2829        50.9k  0.01  
http_header_names (request)       IPv4       6            18            19529          41952         23052       414.9k  0.06  
http_accept (request)             IPv4       6            18             3586          12497          4606        82.9k  0.01  
http_referer (request)            IPv4       6            18             3189           4733          3564        64.2k  0.01  
http_content_len (request)        IPv4       6            18             3393           7399          4014        72.3k  0.01  
http_content_type (request)       IPv4       6            18             2995           4597          3907        70.3k  0.01  
http_protocol (request)           IPv4       6            18             5815          15623          7048       126.9k  0.02  
http_start (request)              IPv4       6            18            13027          35971         21306       383.5k  0.06  
http_raw_header (request)         IPv4       6            18            21409          30153         26551       477.9k  0.07  
http_method                       IPv4       6            18             6335           8994          7505       135.1k  0.02  
http_cookie (request)             IPv4       6            18             3253          33090         13624       245.2k  0.04  
http_raw_uri                      IPv4       6            18             2971          97894          9177       165.2k  0.03  
http_user_agent                   IPv4       6            18            32725          67647         52003       936.1k  0.14  
http_host                         IPv4       6            18             4623          26750          7595       136.7k  0.02  
dns_query                         IPv4      17             7             7629          19260         10417        72.9k  0.01  
tls_sni                           IPv4       6            16             9587          30293         14118       225.9k  0.03  
http_response_line                IPv4       6            14             7616          25851         11143       156.0k  0.02  
http_header (response)            IPv4       6            14            36412         157979         60234       843.3k  0.13  
http_header (response trailer)    IPv4       6            12             2605         127023         20389       244.7k  0.04  
http_content_type (response)      IPv4       6            14             8686          17827         11066       154.9k  0.02  
http_raw_header (response)        IPv4       6          1483             3520          41759          5239         7.8m  1.18  
http_cookie (response)            IPv4       6            14             2986           4277          3462        48.5k  0.01  
http_stat_msg                     IPv4       6            14             5065          34577         10208       142.9k  0.02  
http_stat_code                    IPv4       6            14             4978          12298          6853        95.9k  0.01  
tls_cert_issuer                   IPv4       6            16             7589          24488         10433       166.9k  0.03  
tls_cert_subject                  IPv4       6            16             9077          22068         12975       207.6k  0.03  
tls_cert_serial                   IPv4       6            16             6320          30575          9638       154.2k  0.02  
file_data (http response)         IPv4       6          1471             2577        9963270        254562       374.5m  56.73 
Total                             IPv4                  6811                                         96919       660.1m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           102            47550       17959947        262150         26.7m  0.44  
PROF_DETECT_IPONLY          IPv4      17            14            56071         339558         99507          1.4m  0.02  
PROF_DETECT_RULES           IPv4       6         11192           126364       30979645        323114          3.6b  59.25 
PROF_DETECT_RULES           IPv4      17            14           892299       48648339       6434836         90.1m  1.48  
PROF_DETECT_STATEFUL_START    IPv4       6          2359             5108        7624964        180403        425.6m  6.97  
PROF_DETECT_STATEFUL_CONT    IPv4       6         11192             2518         154072          8446         94.5m  1.55  
PROF_DETECT_STATEFUL_CONT    IPv4      17            14             6966          78551         14973        209.6k  0.00  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         10941             2540          69841          2986         32.7m  0.54  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            14             3151           7262          4456         62.4k  0.00  
PROF_DETECT_PREFILTER       IPv4       6         11192             7985       10455441         79088        885.2m  14.50 
PROF_DETECT_PREFILTER       IPv4      17            14           104595         425954        199722          2.8m  0.05  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1676            16530        6213433        168158        281.8m  4.62  
PROF_DETECT_PF_PAYLOAD      IPv4      17            14            57734         392083        157765          2.2m  0.04  
PROF_DETECT_PF_TX           IPv4       6         10941             2548        9993164         40328        441.2m  7.23  
PROF_DETECT_PF_TX           IPv4      17             7            13418          31598         17287        121.0k  0.00  
PROF_DETECT_PF_SORT1        IPv4       6          1676             2626          83705          6324         10.6m  0.17  
PROF_DETECT_PF_SORT1        IPv4      17            14             8351          13993         11182        156.6k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6         11192             2590         123803          3291         36.8m  0.60  
PROF_DETECT_PF_SORT2        IPv4      17            14             4501          23471          7695        107.7k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6         11192             2678       13651852          4509         50.5m  0.83  
PROF_DETECT_NONMPMLIST      IPv4      17            14             3091          43588          6638         92.9k  0.00  
PROF_DETECT_ALERT           IPv4       6         11192             2520          91910          3036         34.0m  0.56  
PROF_DETECT_ALERT           IPv4      17            14            11584          58357         22085        309.2k  0.01  
PROF_DETECT_CLEANUP         IPv4       6         11192             2566          53665          3094         34.6m  0.57  
PROF_DETECT_CLEANUP         IPv4      17            14             3704           7510          4845         67.8k  0.00  
PROF_DETECT_GETSGH          IPv4       6         11192             2525         156670          3159         35.4m  0.58  
PROF_DETECT_GETSGH          IPv4      17            14             6368          30718          9581        134.1k  0.00  


suricata-report-2018-11-24-T-06-06-05-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (18855 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etproenall/suricata400-etproenall-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f51cf25896b6b2454fe89507ba3b24642 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
elapsedtime:33.342133
stderr:
stdout:
24/11/2018 -- 06:05:32 - <Info> - Configuration node 'rule-files' redefined.
24/11/2018 -- 06:05:32 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/11/2018 -- 06:05:32 - <Info> - CPUs/cores online: 1
24/11/2018 -- 06:05:32 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32687 and 'request-body-inspect-window' set to 15885 after randomization.
24/11/2018 -- 06:05:32 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32060 and 'response-body-inspect-window' set to 16416 after randomization.
24/11/2018 -- 06:05:32 - <Config> - DNS request flood protection level: 500
24/11/2018 -- 06:05:32 - <Config> - DNS per flow memcap (state-memcap): 524288
24/11/2018 -- 06:05:32 - <Config> - DNS global memcap: 16777216
24/11/2018 -- 06:05:32 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/11/2018 -- 06:05:32 - <Config> - preallocated 1000 hosts of size 136
24/11/2018 -- 06:05:32 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:05:32 - <Config> - using magic-file /usr/share/file/magic
24/11/2018 -- 06:05:32 - <Config> - Core dump size is unlimited.
24/11/2018 -- 06:05:32 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/11/2018 -- 06:05:32 - <Config> - preallocated 1000 defrag trackers of size 168
24/11/2018 -- 06:05:32 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/11/2018 -- 06:05:32 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/11/2018 -- 06:05:32 - <Config> - stream "memcap": 33554432
24/11/2018 -- 06:05:32 - <Config> - stream "midstream" session pickups: disabled
24/11/2018 -- 06:05:32 - <Config> - stream "async-oneside": disabled
24/11/2018 -- 06:05:32 - <Config> - stream "checksum-validation": disabled
24/11/2018 -- 06:05:32 - <Config> - stream."inline": disabled
24/11/2018 -- 06:05:32 - <Config> - stream "bypass": disabled
24/11/2018 -- 06:05:32 - <Config> - stream "max-synack-queued": 5
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly "memcap": 134217728
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly "depth": 0
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly "toserver-chunk-size": 2587
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly "toclient-chunk-size": 2559
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly.raw: enabled
24/11/2018 -- 06:05:32 - <Config> - stream.reassembly "segment-prealloc": 2048
24/11/2018 -- 06:05:32 - <Config> - Delayed detect disabled
24/11/2018 -- 06:05:32 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/11/2018 -- 06:05:32 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/11/2018 -- 06:05:32 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/11/2018 -- 06:05:32 - <Config> - prefilter engines: MPM
24/11/2018 -- 06:05:32 - <Config> - IP reputation disabled
24/11/2018 -- 06:05:32 - <Perf> - Registered 148 keyword profiling counters.
24/11/2018 -- 06:05:32 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-ftp.rules
24/11/2018 -- 06:05:32 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-policy.rules
24/11/2018 -- 06:05:32 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-trojan.rules
24/11/2018 -- 06:05:37 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-games.rules
24/11/2018 -- 06:05:37 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-pop3.rules
24/11/2018 -- 06:05:37 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-user_agents.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-activex.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-rpc.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-attack_response.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-icmp.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-scan.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-voip.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-chat.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-icmp_info.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-info.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-shellcode.rules
24/11/2018 -- 06:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_client.rules
24/11/2018 -- 06:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-imap.rules
24/11/2018 -- 06:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_server.rules
24/11/2018 -- 06:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-current_events.rules
24/11/2018 -- 06:05:42 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-inappropriate.rules
24/11/2018 -- 06:05:42 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-smtp.rules
24/11/2018 -- 06:05:42 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-web_specific_apps.rules
24/11/2018 -- 06:05:44 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-deleted.rules
24/11/2018 -- 06:05:45 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-malware.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-snmp.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-worm.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dns.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-misc.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-sql.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dos.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-netbios.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-telnet.rules
24/11/2018 -- 06:05:46 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-exploit.rules
24/11/2018 -- 06:05:47 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-p2p.rules
24/11/2018 -- 06:05:47 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-tftp.rules
24/11/2018 -- 06:05:47 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-mobile_malware.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-botcc.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-compromised.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-drop.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-dshield.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-tor.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/enableall-ET-ciarmy.rules
24/11/2018 -- 06:05:48 - <Config> - Loading rule file: /opt/suricata400/etc/etproenall/local.rules
24/11/2018 -- 06:05:48 - <Config> - No rules loaded from local.rules.
24/11/2018 -- 06:05:48 - <Info> - 44 rule files processed. 50693 rules successfully loaded, 0 rules failed
24/11/2018 -- 06:05:48 - <Info> - Threshold config parsed: 0 rule(s) found
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tcp-packet
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tcp-stream
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for udp-packet
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for other-ip
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_uri
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_client_body
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_accept
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_accept_enc
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_accept_lang
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_referer
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_connection
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_method
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_raw_uri
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_user_agent
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_host
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_raw_host
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_stat_msg
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_stat_code
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for dns_query
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tls_sni
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:05:49 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:05:49 - <Info> - 50718 signatures processed. 1220 are IP-only rules, 21106 are inspecting packet payload, 34612 inspect application layer, 0 are decoder event only
24/11/2018 -- 06:05:49 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/11/2018 -- 06:05:50 - <Perf> - TCP toserver: 41 port groups, 35 unique SGH's, 6 copies
24/11/2018 -- 06:05:50 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/11/2018 -- 06:05:50 - <Perf> - UDP toserver: 41 port groups, 34 unique SGH's, 7 copies
24/11/2018 -- 06:05:50 - <Perf> - UDP toclient: 21 port groups, 18 unique SGH's, 3 copies
24/11/2018 -- 06:05:50 - <Perf> - OTHER toserver: 254 proto groups, 7 unique SGH's, 247 copies
24/11/2018 -- 06:05:50 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/11/2018 -- 06:05:57 - <Perf> - Unique rule groups: 114
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toserver TCP packet": 33
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toclient TCP packet": 18
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toserver TCP stream": 29
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toclient TCP stream": 20
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toserver UDP packet": 33
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "toclient UDP packet": 18
24/11/2018 -- 06:05:57 - <Perf> - Builtin MPM "other IP packet": 4
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_header": 10
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_header": 6
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_start": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_raw_header": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_raw_header": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_method": 5
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_user_agent": 7
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver http_host": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_stat_msg": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient http_stat_code": 3
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver dce_stub_data": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient dce_stub_data": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toserver file_data": 1
24/11/2018 -- 06:05:57 - <Perf> - AppLayer MPM "toclient file_data": 5
24/11/2018 -- 06:06:01 - <Perf> - Registered 50718 rule profiling co

This file has been truncated. Go here to download in full.


unified2.alert.1543039561 - (89004 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
4[ø<¡Óx@
e
ëÖ5w[ø<¡[ø<¡Óx[ å*¶“ñG®EM>)€hí
e
ëÖ59ÆM¸/sbpupvcwindowsblazewebtechcom4[ø<¡ýȏ@

e5ëÖË[ø<¡[ø<¡ýȯG® å*¶“ñE¡rq€

e5ë֍”(¸/€sbpupvcwindowsblazewebtechcomÀ8@@»åÃÀQ€ns2ÀÀQ€ns1ÀÀ_8@@»åÃÀM8@@»åÃ4[ø<¡
+K¢v
@»åÃ
ePÁ75[ø<¡[ø<¡
+KG® å*¶“ñE(Ë°@0¶@»åÃ
ePÁ7sQ×}u8P{ÒHTTP/1.1 200 OK
Date: Fri, 23 Nov 2018 17:45:05 GMT
Server: Apache
Expires: Tue, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="BF_COUPON_5302.doc"
Content-Transfer-Encoding: binary
Last-Modified: Fri, 23 Nov 2018 17:45:05 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/msword

4[ø<¡
.€ˆÛ@»åÃ
ePÁ75[ø<¡[ø<¡
.€Epÿ@»åÃ
ePÁ7PëûHTTP/1.1 200 OK
Date: Fri, 23 Nov 2018 17:45:05 GMT
Server: Apache
Expires: Tue, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="BF_COUPON_5302.doc"
Content-Transfer-Encoding: binary
Last-Modified: Fri, 23 Nov 2018 17:45:05 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/msword

Z[ø<¡[ø<¡
.€>E0mÚ@»åÃ
ePÁ7P÷Ž1f40
ÐÏࡱá>þÿ	knþÿÿÿjwÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿì¥Á]	ø¿©bjbj×(×(	.µBñeµBñe™
ÿÿÿÿÿÿ·ææ++{{{ÿÿÿÿ›»!ª§§§§§© “<!<!<!<!<!<!$e#¶&*`!{í"`!++§§Fu!U U U $+8§{§© U © U U cZ[ø<¡[ø<¡
.€>E0mÚ@»åÃ
ePÁ7PZFU §ÿÿÿÿp@¸KGƒÔÿÿÿÿ3 "U • ‹!0»!U E&U E&U E&{U @U `!`!U »!ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿE&æ
ñ:	
  

  
4[ø<¡
.€¢v
@»åÃ
ePÁ75[ø<¡[ø<¡
.€Epÿ@»åÃ
ePÁ7PëûHTTP/1.1 200 OK
Date: Fri, 23 Nov 2018 17:45:05 GMT
Server: Apache
Expires: Tue, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment; filename="BF_COUPON_5302.doc"
Content-Transfer-Encoding: binary
Last-Modified: Fri, 23 Nov 2018 17:45:05 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/msword

Z[ø<¡[ø<¡
.€>E0mÚ@»åÃ
ePÁ7P÷Ž1f40
ÐÏࡱá>þÿ	knþÿÿÿjwÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿì¥Á]	ø¿©bjbj×(×(	.µBñeµBñe™
ÿÿÿÿÿÿ·ææ++{{{ÿÿÿÿ›»!ª§§§§§© “<!<!<!<!<!<!$e#¶&*`!{í"`!++§§Fu!U U U $+8§{§© U © U U cZ[ø<¡[ø<¡
.€>E0mÚ@»åÃ
ePÁ7PZFU §ÿÿÿÿp@¸KGƒÔÿÿÿÿ3 "U • ‹!0»!U E&U E&U E&{U @U `!`!U »!ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿE&æ
ñ:	
  

  
4[ø<¡
2S*¾w	@»åÃ
ePÁ7Z[ø<¡[ø<¡
2S>E0mÚ@»åÃ
ePÁ7P…; ;; se^t 1^P^7v=!1^P^7v!!^M2:~  %s,   1!) ) )&  ; ^if ;%s ; ; ;  ; ;  ^Leq;  ;^2  ; ;  ( ; ; (c^AL^l  ;; ;%1^P^7v:~^  ^-^5^7^9%   )   )  "



	
	

¥¦§¨©ïáÝÙÙÙÙÙÕÕÕÑÑÑÑÑÑÑÑÑÑÑÑÑÍÕhÑj5h=ªh·^hù5hán^jh=ªUmHnHu jh²h=ªUmHnHu
¦§¨©ýýýýýýýýýýZ[ø<¡[ø<¡
2S>E0mÚ@»åÃ
ePÁ7Pe¹
,1h°Ð/ °à=!° "° # $ %°°Ð°ÐÐÃqDd’"_
èèðj²
ð
cð8A?¿ÿ€Ã¿Picture 2"ñªð€RðqT¬¼mÉÿ›éŸÆM†Ã‡ÿápDm FðÙpT¬¼mÉÿ›éŸÆM†Ã‡ÿÿØÿàJFIF``ÿá:ExifMM*QQQÿÛC		



	
ÿÛCÿÀ±N"ÿÄ	
ÿĵ}!1A4[ø<¡
é”*¾w	@»åÃ
ePÁ7j[ø<¡[ø<¡
é”NE@qÊ@»åÃ
ePÁ7PuQa"q2‘¡#B±ÁRÑð$3br‚	
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ	
ÿĵw!1AQaq"2B‘¡±Á	#3RðbrÑ
$4á%ñ&'()*56789:CDEFGHIJSTUVWXYZ
Z[ø<¡[ø<¡
é”>E0mÚ@»åÃ
ePÁ7P"ê1f40
cdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÚ?’Š(¯îÃü
(¢€
(¢€
(¢€
(¢€
(¢€
(¢€
(¢€
(¢€
(¢€
(¢€
(£ö==袊(¢Š(£csÇ¥Ph¢Š(¢Š(¢Šwÿõ袊(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(q¢ŠÛžsÍQ@Q@Pš(:bŠ(¢Š(¢Š(¢Š(¢€3@†)71ڿ”¹ÈÏjŽ{謹’E^xäŸAê}¨ér£ݑ&y¢ºè¿gÿˆ7^
oGà_>‡ŸøúþΓ¦3»f7íÿkn=덆ò9ٔ:‰¶21ÚÊ}<ƒ\ô1T+6¨ÍJÛÙ§o[˜¬·†Q–"” ¤®®šºî¯º$¢ŠÐpë°QAàõè"€
(Ç֌çúûPEf¼}(¢Š(¢€¤ö?•ÍQžG¿¥b€
(a³­¨¢€séùўh¢Š(¢Š(¢Š(-ƒE
Á”ú¯¥
6Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š(¢Š7|ØïE
̯œöéŠ(¢Š(¢Š(¦¼‚f`6Æ2x§T:Ÿüƒî9ÿ–mÏáAPÕØúÏöuÿ‚Lø³â÷…´ÿx«Äšo„|3y½mH»½x
îÌß»Œc© gŠößjŸ²ìJÞm¾«¢øƒÄPœµÙ®_—ö(¬±þE{wÃÿôø'Ÿû^ý#jüiðÕ¬Vú¯—i˜”ð uëñ,’8î-¯‰†a‰œ)ҕ”!h§v÷#ú«Š¥•xyƒÀÕÊ0TêV¯gR­æÓJ/Et–¬ýŒý’oþ؞)ñ&›áÍ[Ó­|7,×:ŠGºn*+1·ø±×¥/í‹û)ü9øðŸÅö±ámkKÒîníõ"û=Òȑ3)2Gµ›8bE|Ëÿ9?ñY|Jÿ¯{/ç-}·ûG~Ï~:ôþÁ½ÿÑ_g˜8düHð¹t¥ÆPKW}Rnﮬý£…ó)ñ/ÿhg…IαVVæJË¥­ê~铵ƛ’¬‘C7ûY®£áwÂOülñpÐü!¡Þkš£(vŽ8ÿ’1÷b+Óeò48Y¹ÛoÈW׿¼Y}ûþÃ|-á[†Ò|Sñj	5ÍU€âå`Û«c#"TAŽÔ×ôžyšWÃ*8|"R­YòǚöVMÊNÖºImÕèð¯á1ÒÄã3	8á°ñçŸ-¹ä£Æú'&íw{+»;­ÿüÇãU•‹O—á»Ë˜×|–6ÚÄmtq†!IúðM{CÔ</¯Þéz¾Ÿu¥êv2yW—Hcš÷SëÛ±«j֓TÒõMCMÕáq4w°\8¸å³ó~5Z[ø<¡[ø<¡
é”>E0mÚ@»åÃ
ePÁ7P?õí	c¡þÕ¿³?Â_‹>(Ö­ü#ywsqáëIkæe’)ÌrO™簓Ð
òêfy†W^’Ì¥”ê>^hAÆQ•›Jוӳ]î{t2<“=ÂWžI	Ñ­E)8Ô©FPºM©rÕÆé»ÝZûWðŸö,Ö¾%|4´ñ–¹âÿü<ðΣ)‡M»ñхõ‰22¹àyúsV~þÆð•h:÷‰<IñÂþð.…©6“ˆ%F¸‡W˜fÝ7/˞ù9ç
{ßí±ðsá^³á߃ºV¹ñj?
iº„¢DJiãÔ!+X)`£ƒÍ7Æ>ÝÿÁ>ü£Ý|\ŽÛÂöÞ"¹¹´ÖŽ”Åoæ-)h|®ØÉäúWÈÿ®8º´aQU”}¬ùRT›äŠæø[‹æ“JÏ{k¦‡è¿ñ
òÜ5z˜wBœþ¯K¹WIԛäø’’ä‚rmm}5ÔùŽÏödÕ5υ?ñ¶“âê^ðªúsÈÒ<w°q<Qä„]HŽyôÅy»\|ÃãšôoþÏx§öaøñ=vE‡Àú¼rÙù8‹RG’%Y[ž?Ö8ãÓ|$ý‘tû¿¾$xÊßáïƒu'1é`Ãö‹íSù£?tãŽ
}Ô3ÊXՖ.·?,ùP÷¯Ëʒøž·m#òšü'‹ÇN„pogÍMԓsN<ò;”¬¡×*MëkßSÅ3ü=>´Œ8îkÔ¾!|ð¶£âÏé	<e'ÄïÝKd¶w6Ÿd¸±u
UŸÑ>bI#€3^ƒ7ìmð¯Ãž3Á:çÆë{o4‚ÖHmôß3Oµ¹8”Ÿ½¸ã¨ü:Vµx§Jsæ»Mے|É'fÜmx«õ#ŸÀµiÎ4ù-—7´‡+“WQŒœ­'ä¶>n›Íù\ÆÉï^±ðwöøñÓÂø‹GµÑl|?pï­î­©%¢Ü•%NÕÎâ2=«‰øÁð«Yøñ/X𦾱®©£Êtvá
îYÕYzU}់¾,ipÛé>ñ?Šôý)ŒÅko-Õ½“¿$T,y®¬n*upЯ„­FV|ò\˕íoz:³ÏÊð4èfÂfxZ•eǒ–JK{¾Y=;XÜøãû9øÓöp×­ôïèÿÙí|žm¥Ô‹[ÅvH§»í88íPüýž<gûHk·ƒt95±Po.eAifüô•°¡»ílv¯_ý©5y¾þÂÿ~xºê;¯ˆn£.«5™¹\hÖ¼1Å)í$2®Ò•v>xþÛöuøcðᾏ}:ëZ"x³Æ7ÐÈ-cºšãý\SJÄlÉ%c^0+åcŘ¥§Ï(F¥IÎ*oJ|°Þ¥›Õ5k+î÷±ú¼>À<Ò»¦ªJ*tæ馝^z–µ.n[&ï'ÚúñÛö>ñÇìÛá«=gÄ_ðÜiwӋT¹Òµ%¹Ù.	Úûu¹ðûþ	éñsⷁtŸh>Òî´}r¹´š]Z^HÏÝm¬ÀŒúšóߌÿ³ïŒÿfßø—ø¯Ã÷Z$7J^Õ¼Á%¥Ã㝌¤®ïÖ¾–ý§?fO‰þüÂÕõ7DðLk6—+ɤH[K©-´ÐÖØüû‡£†ŒqTŸµ”¿xãîYFëN{^ö[˜e%€Åâ1Ó«€®–jŠŸï94[ø<¡²8*¾w	@»åÃ
ePÁ7Z[ø<¡[ø<¡²8>E0mÚ@»åÃ
ePÁ7PÕ 0@àð 0@àð 0@àð 0@àð 0@àð 0@àð 0@àð 0@àð 0@àð 0@6666 OJPJQJ_HmH	nH	sH	tH	J`ñÿJNormald¤ CJ_HaJmH	sH	tH	DA òÿ¡D
Default Paragraph FontRióÿ³R
0Table Normalö4Ö
l4Öaö(k ôÿÁ(
0No ListR™òR	p;0Balloon Textdð¤CJOJQJ^JaJNþ/òÿNp;0Balloon Text CharCJOJQJ^JaJPK!éÞ¿ÿjGFdLbAMjfHiikC.xml¬‘ËNÃ0E÷Hüƒå-Jœ²@%é‚ÇŽÇ¢|Àș$Éز§Uû÷LÒTB¨ l,Ù3÷ž;ãr½µÃ˜œ§J¯òB+$ëG]¥ß7OÙ­V‰<a¥˜ôº¾¼(7‡€I‰šR¥{æpgL²=Žr¤Òú8Ë5v&€ý€ÍuQÜ뉑8ãÉC×嶰X=îåù˜$␴º?6N¬JCƒ³À’Ôì¨ùFÉB.ʹ'õ.¤+‰¡ÍYÂTù°è^e5Ñ5¨Þ òŒð‰_Ïg -æ¿;ž‰ìÛÖYl¼ÝŽ²Ž|6^ÌNÁÿ`õ?èÓÌ[ÿÿPK!¥Ö§çÀ6_OUJJ/.OUJJ„ÏjÃ0‡ï…½ƒÑ}QÒÃ%v/¥C/£}á(h"ÛëÛOÇ
»„¤ï÷©=þ®‹ùá”ç šªÃâC?Ëháv=¿‚É…¤§%[xp†£{Ûµ_¼PÑ£<Í1¥H¶0•ˆÙO¼R®BdÑÉÒJEÛ4b$§‘q_טžà6LÓõR×7`®¨Éÿ³Ã0̞OÁ¯,åEn7”Z[ø<¡[ø<¡²8>E0mÚ@»åÃ
ePÁ7P#Liäb¡¨/ãS½¨eªÔе¸ùÖýÿÿPK!ky–ƒŠcPXhO/cPXhO/cPXhOManager.xmlÌM
à @á}¡wÙ7c»(Eb²Ë®»öCœAǠҟÛ×åãƒ7Îß՛K
Y,œ
ŠeÍ.ˆ·ð|,§¨ÚHÅ,láÇæéxÉ´ßIÈsQ}#Ր…­µÝ Öµ+Õ!ï,Ý^¹$j=‹GWèÓ÷)âEë+&
8ýÿÿPK!¶ôg˜“É cPXhO/cPXhO/cPXhO1.xmlìY͋É¿ò?4}—õÕ­Áò¢OÏÚ3¶±d‡=ÖH¥îòTw‰ªÒŒÅbÞS.À&䐅½í!„,ìÂ.¹ä1Ø$›?"¯ª[ÝURɞ0aF0t—~ïÕ¯Þ{õÞSÕÝÏ^&Ô»À\–öüúšïátÎ$zþ³Ù¤Òñ=!Qº@”¥¸ço°ð?»÷ë_ÝEG2Æ	ö@>G¨çÇR®ŽªU1‡a$î°Ná»%ã	’ðʣꂣKЛÐj£VkUDRßKQj/—dŽ½™RéßÛ*SxM¥PsʧJ5¶$4vq^W±CʽD{>̳`—3üRúEBÂ=¿¦ÿüê½»Ut”Qy@֐›è¿\.Xœ7ôœ<:+&
‚0hõý@å>nÜ·Æ­BŸ ùVšq±u¶à Ç ìÑ¡{Ô5ëÞÐßÜãÜÕÇÂkP¦?ØÃO&C°¢…× îáÃAw0²õkP†oíáÛµþ(h[ú5(¦$=ßC×ÂVs¸]mY2zì„wÃ`ÒnäÊKDC]jŠ%Kå¡XKÐÆ'P@Š$I=¹Yá%šC%gœx'$Š!ðV(e†kÚ¤Ö„ÿêè'íQt„‘!­x±7¤øxbÎÉJöü Õ7 oþùÍëß¼þéÍW_½yý÷|n­Ê’;FidÊýòÝþóÍo½ÿðí/_ÿ1›z/Lü»¿ýîÝ?þù>õ°âÒoÿôý»¿ûçßÿë¯_;´÷9:3á3’`á=—ÞS–Àüñ¿žÄ,FĔ觑@)R³8ôel¡mEÜÛv|Î!Õ¸€÷×/,ÂӘ¯%qh|'ð”1:`Üi…‡j.Ã̳u¹'çk÷¡×ÜC”Z^¯Wc‰Kå0ÆÍ'¥E8ÅÒSß±sŒ«û‚Ë®§dΙ`Ké}A¼"

This file has been truncated. Go here to download in full.


stats.log - (2934 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 11/24/2018 -- 06:06:05 (uptime: 0d, 00h 00m 04s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 11179
decoder.bytes                              | Total                     | 6503078
decoder.ipv4                               | Total                     | 11179
decoder.ethernet                           | Total                     | 11179
decoder.tcp                                | Total                     | 11165
decoder.udp                                | Total                     | 14
decoder.avg_pkt_size                       | Total                     | 581
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 65
flow.udp                                   | Total                     | 7
tcp.sessions                               | Total                     | 65
tcp.syn                                    | Total                     | 135
tcp.synack                                 | Total                     | 30
tcp.rst                                    | Total                     | 26
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 3
tcp.insert_list_fail                       | Total                     | 249
detect.alert                               | Total                     | 61
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 62
detect.fnonmpm_list                        | Total                     | 25
detect.match_list                          | Total                     | 30
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 18
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 7
app_layer.tx.dns_udp                       | Total                     | 7
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (64336 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2018-11-23T17:45:05.447352+0000","flow_id":711627706061688,"pcap_cnt":1,"event_type":"alert","src_ip":"10.11.23.101","src_port":60374,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-11-23T17:45:05.447352+0000","flow_id":711627706061688,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.23.101","src_port":60374,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47151,"rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":711627706061688,"pcap_cnt":2,"event_type":"alert","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2002752,"rev":4,"signature":"ET POLICY Reserved Internal IP Traffic","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":711627706061688,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","ttl":14400,"rdata":"64.187.229.195"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":711627706061688,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns2.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":711627706061688,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns1.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.666443+0000","flow_id":425623686283640,"pcap_cnt":8,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.667264+0000","flow_id":425623686283640,"pcap_cnt":14,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2001115,"rev":7,"signature":"ET POLICY MSI (microsoft installer file) download","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.667264+0000","flow_id":425623686283640,"pcap_cnt":14,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3}}
{"timestamp":"2018-11-23T17:45:05.668243+0000","flow_id":425623686283640,"pcap_cnt":22,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.715156+0000","flow_id":425623686283640,"pcap_cnt":28,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.766520+0000","flow_id":425623686283640,"pcap_cnt":77,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.766949+0000","flow_id":425623686283640,"pcap_cnt":81,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.767380+0000","flow_id":425623686283640,"pcap_cnt":85,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.767380+0000","flow_id":425623686283640,"pcap_cnt":85,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1}}
{"timestamp":"2018-11-23T17:45:05.769051+0000","flow_id":425623686283640,"pcap_cnt":101,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.769051+0000","flow_id":425623686283640,"pcap_cnt":101,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1}}
{"timestamp":"2018-11-23T17:45:05.769912+0000","flow_id":425623686283640,"pcap_cnt":109,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.817762+0000","flow_id":425623686283640,"pcap_cnt":123,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2801271,"rev":1,"signature":"ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution","category":"Attempted User Privilege Gain","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.821936+0000","flow_id":425623686283640,"pcap_cnt":163,"event_type":"http","src_ip":"10.11.23.101","src_port":49463,"dest_ip":"64.187.229.195","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-23T17:45:10.769725+0000","flow_id":425623686283640,"pcap_cnt":165,"event_type":"fileinfo","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97130},"app_proto":"http","fileinfo":{"filename":"BF_COUPON_5302.doc","gaps":false,"state":"CLOSED","stored":false,"size":97024,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.227354+0000","flow_id":2046275910989850,"pcap_cnt":169,"event_type":"dns","src_ip":"10.11.23.101","src_port":54988,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47911,"rrname":"www.atlantictoursrd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":2046275910989850,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"www.atlantictoursrd.com","rrtype":"CNAME","ttl":10800,"rdata":"atlantictoursrd.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":2046275910989850,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"A","ttl":10800,"rdata":"166.62.74.3"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":2046275910989850,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns40.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":2046275910989850,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns39.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.480093+0000","flow_id":2147040138723483,"pcap_cnt":177,"event_type":"alert","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2010228,"rev":7,"signature":"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.480093+0000","flow_id":2147040138723483,"pcap_cnt":177,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:45:45.576387+0000","flow_id":2147040138723483,"pcap_cnt":179,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.576387+0000","flow_id":2147040138723483,"pcap_cnt":179,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.atlantictoursrd.com\/dWUYS8Xoq\/","length":249},"app_proto":"http","fileinfo":{"filename":"\/dWUYS8Xoq","gaps":false,"state":"CLOSED","stored":false,"size":249,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.577475+0000","flow_id":2147040138723483,"pcap_cnt":183,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2804239,"rev":5,"signature":"ETPRO DELETED Tratraps\/Infostealer\/Banker.dldr!i CnC Response","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.577475+0000","flow_id":2147040138723483,"pcap_cnt":183,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","alert":{"action":"allowed","gid":1,"signature_id":2007670,"rev":10,"signature":"ET DELETED Likely Binary in HTTP by Type Flowbit","category":"Not Suspicious Traffic","severity":3}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":2147040138723483,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":2147040138723483,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":2147040138723483,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2819694,"rev":2,"signature":"ETPRO TROJAN Locky JS Executable Payload Download","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":2147040138723483,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-23T17:45:45.654007+0000","flow_id":2147040138723483,"pcap_cnt":347,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-23T17:47:32.195554+0000","flow_id":366022434659354,"pcap_cnt":367,"event_type":"alert","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2010228,"rev":7,"signature":"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:47:32.195554+0000","flow_id":366022434659354,"pcap_cnt":367,"event_type":"http","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET

This file has been truncated. Go here to download in full.


suricata-4.0.0-etproenall-all-alert-2018-11-24-T-06-06-05-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (13193 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
11/23/2018-17:45:05.447352  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.101:60374 -> 10.11.23.1:53
11/23/2018-17:45:05.523720  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.1:53 -> 10.11.23.101:60374
11/23/2018-17:45:05.666443  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.667264  [**] [1:2001115:7] ET POLICY MSI (microsoft installer file) download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.667264  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.668243  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.715156  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.766520  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.766949  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.767380  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.767380  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.769051  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.769051  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.769912  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.817762  [**] [1:2801271:1] ETPRO DELETED Microsoft Windows Kodak Image Viewer Code Execution [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:45.480093  [**] [1:2010228:7] ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49465 -> 166.62.74.3:80
11/23/2018-17:45:45.576387  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.577475  [**] [1:2804239:5] ETPRO DELETED Tratraps/Infostealer/Banker.dldr!i CnC Response [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.577475  [**] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2819694:2] ETPRO TROJAN Locky JS Executable Payload Download [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:47:32.195554  [**] [1:2010228:7] ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49470 -> 47.32.209.86:80
11/23/2018-17:48:30.777030  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.32.209.86:80 -> 10.11.23.101:49470
11/23/2018-17:48:30.777030  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.32.209.86:80 -> 10.11.23.101:49470
11/23/2018-17:48:31.749999  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.32.209.86:80 -> 10.11.23.101:49470
11/23/2018-17:48:31.749999  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 47.32.209.86:80 -> 10.11.23.101:49470
11/23/2018-17:50:24.299248  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49472 -> 74.56.138.57:443
11/23/2018-17:50:54.051956  [**] [1:2010228:7] ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49476 -> 190.210.251.29:80
11/23/2018-17:50:54.290438  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 190.210.251.29:80 -> 10.11.23.101:49476
11/23/2018-17:50:54.290438  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 190.210.251.29:80 -> 10.11.23.101:49476
11/23/2018-17:53:56.895576  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49480 -> 23.94.123.231:443
11/23/2018-17:53:56.895893  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49480
11/23/2018-17:53:56.895893  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49480
11/23/2018-17:53:58.042265  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.101:51092 -> 10.11.23.1:53
11/23/2018-17:53:58.142024  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.1:53 -> 10.11.23.101:51092
11/23/2018-17:54:01.415957  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49480
11/23/2018-17:54:01.415957  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49480
11/23/2018-17:59:46.957401  [**] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.223.89.132:443 -> 10.11.23.101:49485
11/23/2018-18:03:58.112937  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.101:59535 -> 10.11.23.1:53
11/23/2018-18:03:58.136220  [**] [1:2002752:4] ET POLICY Reserved Internal IP Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.11.23.1:53 -> 10.11.23.101:59535
11/23/2018-18:03:58.759000  [**] [1:2800490:5] ETPRO DELETED Mozilla Network Security Services Regexp Heap Overflow [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 198.55.107.148:443 -> 10.11.23.101:49487
11/23/2018-18:08:55.243497  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49494 -> 23.94.123.231:443
11/23/2018-18:08:55.244141  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49494
11/23/2018-18:08:55.244141  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49494
11/23/2018-18:08:59.878927  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49494
11/23/2018-18:08:59.878927  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.94.123.231:443 -> 10.11.23.101:49494
11/23/2018-18:11:03.086157  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49511 -> 91.184.13.216:8080
11/23/2018-18:11:06.084462  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49511
11/23/2018-18:11:06.084462  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49511
11/23/2018-18:11:29.021379  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49514
11/23/2018-18:11:29.021379  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49514
11/23/2018-18:11:33.954458  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49516 -> 91.184.13.216:8080
11/23/2018-18:11:36.955741  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49516
11/23/2018-18:11:36.955741  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49516
11/23/2018-18:13:32.799647  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49524 -> 91.184.13.216:8080
11/23/2018-18:13:35.800538  [**] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49524
11/23/2018-18:13:35.800538  [**] [1:2008064:6] ET DELETED Nginx Server with no version string - Often Hostile Traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 91.184.13.216:8080 -> 10.11.23.101:49524
11/23/2018-18:18:16.100460  [**] [1:2010228:7] ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49473 -> 100.35.142.37:80
11/23/2018-18:18:16.100460  [**] [1:2006408:14] ET POLICY HTTP Request on Unusual Port Possibly Hostile [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.11.23.101:49477 -> 186.103.149.146:8080


keyword_perf.log - (19990 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:06:05
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              33094642        11272           0               139954          2936.00         0.00            2936.00        
  ipopts           16995388        5650            0               115041          3008.00         0.00            3008.00        
  flags            2689504         900             0               40984           2988.00         0.00            2988.00        
  fragbits         55034404        18522           6169            105207          2971.00         3009.00         2952.00        
  fragoffset       16582506        5629            0               63564           2945.00         0.00            2945.00        
  ttl              16939955        5650            0               62673           2998.00         0.00            2998.00        
  dsize            1585790         552             549             30581           2872.00         2872.00         2894.00        
  flow             79456087        25263           25113           81839           3145.00         3144.00         3307.00        
  threshold        429444          53              40              40998           8102.00         7452.00         10102.00       
  content          307887576       29990           10095           5572047         10266.00        17593.00        6548.00        
  pcre             166438070       22285           221             175681          7468.00         7050.00         7472.00        
  byte_test        106887365       37962           7321            176550          2815.00         2899.00         2795.00        
  byte_jump        17339768        6054            1342            218789          2864.00         2864.00         2864.00        
  sameip           32510224        11206           0               108670          2901.00         0.00            2901.00        
  isdataat         272361          88              55              16091           3095.00         2937.00         3357.00        
  flowbits         34356955        11341           5021            64742           3029.00         3021.00         3035.00        
  stream_size      63027           14              13              18737           4501.00         4601.00         3210.00        
  urilen           1708758         518             91              25274           3298.00         3222.00         3314.00        
  byte_extract     1847661         477             472             58320           3873.00         3886.00         2656.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  ack              33094642        11272           0               139954          2936.00         0.00            2936.00        
  ipopts           16995388        5650            0               115041          3008.00         0.00            3008.00        
  flags            2689504         900             0               40984           2988.00         0.00            2988.00        
  fragbits         55034404        18522           6169            105207          2971.00         3009.00         2952.00        
  fragoffset       16582506        5629            0               63564           2945.00         0.00            2945.00        
  ttl              16939955        5650            0               62673           2998.00         0.00            2998.00        
  dsize            1585790         552             549             30581           2872.00         2872.00         2894.00        
  flow             79456087        25263           25113           81839           3145.00         3144.00         3307.00        
  sameip           32510224        11206           0               108670          2901.00         0.00            2901.00        
  flowbits         19364275        6375            55              64742           3037.00         3236.00         3035.00        
  stream_size      63027           14              13              18737           4501.00         4601.00         3210.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          83014966        21275           5186            78495           3901.00         5508.00         3384.00        
  pcre             154676189       19492           13              175681          7935.00         9635.00         7934.00        
  byte_test        106727131       37921           7304            176550          2814.00         2897.00         2794.00        
  byte_jump        17299907        6042            1332            218789          2863.00         2861.00         2863.00        
  isdataat         269556          87              54              16091           3098.00         2939.00         3357.00        
  byte_extract     1847661         477             472             58320           3873.00         3886.00         2656.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         14992680        4966            4966            56653           3019.00         3019.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        429444          53              40              40998           8102.00         7452.00         10102.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          877517          206             47              81540           4259.00         5836.00         3793.00        
  pcre             941171          133             24              75307           7076.00         11064.00        6198.00        
  urilen           1708758         518             91              25274           3298.00         3222.00         3314.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          42315           13              0               4533            3255.00         0.00            3255.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          205248308       5540            2715            316919          37048.00        49110.00        25456.00       
  pcre             8379197         2288            0               44703           3662.00         0.00            3662.00        
  byte_test        160234          41              17              5350            3908.00         3919.00         3900.00        
  byte_jump        39861           12              10              5053            3321.00         3234.00         3757.00        
  isdataat         2805            1               1               2805            2805.00         2805.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          9676161         2086            1641            109539          4638.00         4694.00         4431.00        
  pcre             2046217         311             126             31260           6579.00         6338.00         6743.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          439584          108             70              20258           4070.00         4275.00         3692.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          8321            2               2               4230            4160.00         4160.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7485            2               2               3908            3742.00         3742.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          106373          26              24              13797           4091.00         4136.00         3544.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          55972           16              16              4536            3498.00         3498.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5347            1               0               5347            5347.00         0.00            5347.00        
  pcre             14732           1               0               14732           14732.00        0.00            14732.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          504378          142             56              15

This file has been truncated. Go here to download in full.


suricata-4.0.0-etproenall-all-perf.txt-2018-11-24-T-06-06-05-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (178391 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:06:05. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2803400      1        1        23754781     0.89   14       0        15726840    1696770.07  0.00        1696770.07 
  2        2803396      1        1        23546818     0.88   14       0        15212298    1681915.57  0.00        1681915.57 
  3        2803398      1        1        23520358     0.88   14       0        15170935    1680025.57  0.00        1680025.57 
  4        2801980      1        3        116485183    4.35   38       0        14933847    3065399.55  0.00        3065399.55 
  5        2801981      1        3        110912477    4.15   38       0        14323755    2918749.39  0.00        2918749.39 
  6        2102589      1        7        7144465      0.27   2        0        7116247     3572232.50  0.00        3572232.50 
  7        2016858      1        10       6156212      0.23   17       0        5640544     362130.12   0.00        362130.12  
  8        2002658      1        4        18050250     0.67   1706     0        4512770     10580.45    0.00        10580.45   
  9        2000540      1        8        34010051     1.27   9500     0        3671259     3580.01     0.00        3580.01    
  10       2100502      1        3        67576533     2.53   11206    0        1732272     6030.39     0.00        6030.39    
  11       2017565      1        4        70099882     2.62   350      0        1373739     200285.38   0.00        200285.38  
  12       2815453      1        4        8401756      0.31   9        0        1129991     933528.44   0.00        933528.44  
  13       2002725      1        14       5798665      0.22   525      0        785676      11045.08    0.00        11045.08   
  14       2101929      1        6        17064515     0.64   5648     0        760633      3021.34     0.00        3021.34    
  15       2001608      1        9        6213337      0.23   525      0        754915      11834.93    0.00        11834.93   
  16       2803397      1        1        1601014      0.06   14       0        504845      114358.14   0.00        114358.14  
  17       2100628      1        8        65125070     2.43   11192    0        503137      5818.89     0.00        5818.89    
  18       2803395      1        1        1529682      0.06   14       0        455387      109263.00   0.00        109263.00  
  19       2803399      1        1        1668378      0.06   14       0        434685      119169.86   0.00        119169.86  
  20       2017566      1        5        68653105     2.57   348      0        404508      197279.04   0.00        197279.04  
  21       2001376      1        12       14302105     0.53   1706     0        387150      8383.41     0.00        8383.41    
  22       2801978      1        3        1456117      0.05   14       0        371858      104008.36   0.00        104008.36  
  23       2018330      1        6        60345583     2.26   315      0        359627      191573.28   0.00        191573.28  
  24       2801979      1        3        1311041      0.05   14       0        344440      93645.79    0.00        93645.79   
  25       2820158      1        2        36577779     1.37   236      0        319092      154990.59   0.00        154990.59  
  26       2819664      1        2        33572572     1.26   213      0        316400      157617.71   0.00        157617.71  
  27       2809303      1        3        313508       0.01   1        0        313508      313508.00   0.00        313508.00  
  28       2820157      1        2        37102922     1.39   236      0        286935      157215.77   0.00        157215.77  
  29       2012684      1        8        271533       0.01   1        0        271533      271533.00   0.00        271533.00  
  30       2819930      1        2        32911818     1.23   213      0        267105      154515.58   0.00        154515.58  
  31       2020865      1        3        25009725     0.93   197      0        251761      126952.92   0.00        126952.92  
  32       2809148      1        2        229709       0.01   1        0        229709      229709.00   0.00        229709.00  
  33       2809149      1        2        206271       0.01   1        0        206271      206271.00   0.00        206271.00  
  34       2021735      1        4        525187       0.02   16       0        202477      32824.19    0.00        32824.19   
  35       2001384      1        13       13377800     0.50   1706     0        193526      7841.62     0.00        7841.62    
  36       2016855      1        2        186576       0.01   1        0        186576      186576.00   0.00        186576.00  
  37       2816510      1        3        1619864      0.06   11       0        178893      147260.36   0.00        147260.36  
  38       2819940      1        3        1607055      0.06   11       0        176145      146095.91   0.00        146095.91  
  39       2012520      1        7        175070       0.01   1        1        175070      175070.00   175070.00   0.00       
  40       2814961      1        5        509517       0.02   16       0        167903      31844.81    0.00        31844.81   
  41       2100623      1        7        98425083     3.68   11192    0        164936      8794.24     0.00        8794.24    
  42       2803027      1        6        1571219      0.06   28       0        158257      56114.96    0.00        56114.96   
  43       2003092      1        3        4580708      0.17   654      0        154818      7004.14     0.00        7004.14    
  44       2016854      1        3        153745       0.01   1        0        153745      153745.00   0.00        153745.00  
  45       2018958      1        18       885503       0.03   17       0        148275      52088.41    0.00        52088.41   
  46       2011539      1        3        1140686      0.04   16       0        148091      71292.88    0.00        71292.88   
  47       2003026      1        5        73095648     2.73   4917     4870     146459      14865.90    14921.13    9143.98    
  48       2806802      1        2        9783599      0.37   465      0        144406      21040.00    0.00        21040.00   
  49       2001379      1        12       14500795     0.54   1706     0        136593      8499.88     0.00        8499.88    
  50       2825417      1        2        135780       0.01   1        0        135780      135780.00   0.00        135780.00  
  51       2012510      1        2        2664177      0.10   55       0        135204      48439.58    0.00        48439.58   
  52       2800490      1        5        1507765      0.06   16       1        134928      94235.31    56253.00    96767.47   
  53       2016188      1        4        134524       0.01   1        0        134524      134524.00   0.00        134524.00  
  54       2019837      1        3        157494       0.01   9        1        131878      17499.33    131878.00   3202.00    
  55       2001382      1        12       16620924     0.62   1706     0        126481      9742.63     0.00        9742.63    
  56       2017373      1        6        767909       0.03   7        0        125954      109701.29   0.00        109701.29  
  57       2021413      1        2        124125       0.00   1        0        124125      124125.00   0.00        124125.00  
  58       2013319      1        2        2918190      0.11   61       0        122018      47839.18    0.00        47839.18   
  59       2003119      1        4        635637       0.02   17       0        120924      37390.41    0.00        37390.41   
  60       2021418      1        9        120848       0.00   1        0        120848      120848.00   0.00        120848.00  
  61       2000309      1        8        33169579     1.24   11192    0        119156      2963.69     0.00        2963.69    
  62       2801157      1        2        15746646     0.59   5431     0        119071      2899.40     0.00        2899.40    
  63       2001022      1        5        98135629     3.67   11192    0        118623      8768.37     0.00        8768.37    
  64       2018342      1        2        1229133      0.05   11       0        118210      111739.36   0.00        111739.36  
  65       2001023      1        5        65040139     2.43   11192    0        118183      5811.31     0.00        5811.31    
  66       2021736      1        3        424749       0.02   16       0        116845      26546.81    0.00        26546.81   
  67       2100527      1        9        96871910     3.62   11206    0        115857      8644.65     0.00        8644.65    
  68       2016537      1        2        22299708     0.83   1480     0        115442      15067.37    0.00        15067.37   
  69       2002491      1        12       5371390      0.20   525      0        114898      10231.22    0.00        10231.22   
  70       2825416      1        2        114665       0.00   1        0        114665      114665.00   0.00        114665.00  
  71       2100523      1        6        65643986     2.45   11206    0        114070      5857.93     0.00        5857.93    
  72       2003092      1        3        5126721      0.19   1579     0        113750      3246.82     0.00        3246.82    
  73       2820031      1        2        604769       0.02   17       0        112882      35574.65    0.00        35574.65   
  74       2816910      1        2        1136595      0.04   18       0        111980      63144.17    0.00        63144.17   
  75       2001102      1        13       5880262      0.22   660      0        111685      8909.49     0.00        8909.49    
  76       2830701      1        1        1266029      0.05   14       0        111183      90430.64    0.00        90430.64   
  77       2810481      1        4        5563115      0.21   252      0        110613      22075.85    0.00        22075.85   
  78       2003173      1        7        1571281      0.06   51       0        110053      30809.43    0.00        30809.43   
  79       2020202      1        2        138557       0.01   2        0        109640      69278.50    0.00        69278.50   
  80       2024228      1        3        1586834      0.06   23       0        109204      68992.78    0.00        68992.78   
  81       2816929      1        4        693820       0.03   18       0        109114      38545.56    0.00        38545.56   
  82       2018358      1        7        1380787      0.05   17       0        108426      81222.76    0.00        81222.76   
  83       2024769      1        2        975826       0.04   10       0        108200      97582.60    0.00        97582.60   
  84       2019344      1        5        1079307      0.04   17       1        107367      63488.65    86860.00    62027.94   
  85       2018983      1        7        605087       0.02   17       0        107054      35593.35    0.00        35593.35   
  86       2101321      1        9        65186492     2.44   11206    0        105651      5817.11     0.00        5817.11    
  87       2802022      1        5        1534593      0.06   42       0        105634      36537.93    0.00        36537.93   
  88       2003174      1        8        1475495      0.06   51       0        102897      28931.27    0.00        28931.27   
  89       2018005      1        6        867508       0.03   16       0        102700      54219.25    0.00        54219.25   
  90       2024650      1        1        4749066      0.18   314      0        101604      15124.41    0.00        15124.41   
  91       2001377      1        12       15122739     0.57   1706     0        100853      8864.44     0.00        8864.44    
  92       2023670      1        3        774611       0.03   17       3        100254      45565.35    53805.00    43799.71   
  93       2801156      1        2        16347664     0.61   5560     0        99696       2940.23     0.00        2940.23    
  94       2019613      1        3        121937       0.00   8        1        98955       15242.12    98955.00    3283.14    
  95       2002742      1        10       13974630     0.52   1692     0        98370       8259.24     0.00        8259.24    
  96       2023140      1        2        4364106      0.16   1474     0        97973       2960.72     0.00        2960.72    
  97       2001981      1        7        10167296     0.38   1563     0        97726       6504.99     0.00        6504.99    
  98       2024601      1        2        97596        0.00   1        0        97596       97596.00    0.00        97596.00   
  99       2003322      1        4        4589152      0.17   1436     0        96497       3195.79     0.00        3195.79    
  100      2001375      1        12       14442638     0.54   1706     0        96303       8465.79     0.00        8465.79    
  101      2801271      1        1        874860       0.03   48       8        95979       18226.25    41502.00    13571.10   
  102      2100524      1        9        16257345     0.61   5648     0        95696       2878.43     0.00        2878.43    
  103      2828122      1        2        638100       0.02   17       1        95229       37535.29    95229.00    33929.44   
  104      2022054      1        3        184048       0.01   2        0        95169       92024.00    0.00        92024.00   
  105      2019954      1        2        248980       0.01   11       0        95085       22634.55    0.00        22634.55   
  106      2001380      1        12       12905168     0.48   1706     0        93992       7564.58     0.00        7564.58    
  107      2021743      1        4        407927       0.02   16       0        92557       25495.44    0.00        25495.44   
  108      2009293      1        1        14646220     0.55   1706     0        92542       8585.12     0.00        8585.12    
  109      2802991      1        5        1239408      0.05   28       0        92511       44264.57    0.00        44264.57   
  110      2002528      1        5        247259       0.01   16       0        91645       15453.69    0.00        15453.69   
  111      2020637      1        4        1482254      0.06   32       0        91572       46320.44    0.00        46320.44   
  112      2804545      1        4        34306151     1.28   1563     0        91241       21948.91    0.00        21948.91   
  113      2802994      1        3        924990       0.03   26       0        90496       35576.54    0.00        35576.54   
  114      2021067      1        2        161024       0.01   3        2        90448       53674.67    65048.50    30927.00   
  115      2013320      1        2        2755962      0.10   61       0        90409       45179.70    0.00        45179.70   
  116      2816940      1        2        1105304      0.04   18       0        90315       61405.78    0.00        61405.78   
  117      2814978      1        2        1092218      0.04   16       0        89967       68263.62    0.00        68263.62   
  118      2827279      1        5        1149270      0.04   18       0        89848       63848.33    0.00        63848.33   
  119      2024272      1        4        463679       0.02   14       0        89735       33119.93    0.00        33119.93   
  120      2011803      1        5        683294       0.03   12       0        89564       56941.17    0.00        56941.17   
  121      2021694      1        5        347416       0.01   18       0        89547       19300.89    0.00        19300.89   
  122      2018375      1        3        976475       0.04   65       0        89488       15022.69    0.00        15022.69   
  123      2809958      1        2        690764       0.03   26       0        89442       26567.85    0.00        26567.85   
  124      2100268      1        5        5186212      0.19   1706     0        89414       3039.98     0.00        3039.98    
  125      2020679      1        4        

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1195 bytes) - download
1
2
3
4
5
6
7
8
2018-11-24 06:05:31,284 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-24 06:05:32,063 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-24 06:05:32,063 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etproenall-all
2018-11-24 06:05:32,064 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-24 06:05:32,064 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-24 06:05:32,064 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etproenall/suricata400-etproenall-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f51cf25896b6b2454fe89507ba3b24642 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
2018-11-24 06:06:05,409 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-24 06:06:05,409 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 34.1341819763