Filename: 2018-11-23-Emotet-infection-with-Gootkit.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.7030088902 seconds
Hash: e0350bf4bf277b51967d5ff5e696872f
Uploaded: 1543041767

Logfiles


packet_stats.log - (13028 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         11196          3602912     1692760087    1202096727      13458.7b   99.90
 IPv4      17            14         19011678     1333138677     954612928         13.4b    0.10
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         11196            65779       15532159        177703          2.0b   94.16
TMM_FLOWWORKER              IPv4      17            14           459209        1115447        605706          8.5m    0.40
TMM_RECEIVEPCAPFILE         IPv4       6         11165             2534         139217          2863         32.0m    1.51
TMM_RECEIVEPCAPFILE         IPv4      17            14             2577           8614          3231         45.2k    0.00
TMM_DECODEPCAPFILE          IPv4       6         11165             2648       19203168          7424         82.9m    3.92
TMM_DECODEPCAPFILE          IPv4      17            14             2785          24424          4979         69.7k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         11165             2689          62604          3258         36.4m  1.99  
flow                    IPv4      17            14             3235          10727          5095         71.3k  0.00  
stream                  IPv4       6         11196             2581         618841          7032         78.7m  4.31  
app-layer               IPv4      17            14            12451          66631         23164        324.3k  0.02  
detect                  IPv4       6         11196            44400       15500289        149342          1.7b  91.51 
detect                  IPv4      17            14           358989         587017        432479          6.1m  0.33  
tcp-prune               IPv4       6         11196             2521          61066          3002         33.6m  1.84  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            12             3413          60070         23227        278.7k  56.93 
tls                     IPv4       6            31             2601           4977          3038         94.2k  19.24 
dns                     IPv4      17            14             4942          17220          8331        116.6k  23.83 
Proto detect            IPv4       6             7             2934           5739          4082         28.6k
Proto detect            IPv4      17            14             5688          39002         14551        203.7k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            63469         111700         83766        251.3k  3.20  
LOGGER_UNIFIED2             IPv4       6             3            64492         108739         86780        260.3k  3.31  
LOGGER_JSON_ALERT           IPv4       6             3            84680         139560        110600        331.8k  4.22  
LOGGER_JSON_DNS             IPv4      17            14            41885         421415        128052          1.8m  22.81 
LOGGER_JSON_HTTP            IPv4       6            18            81268         222393        136168          2.5m  31.19 
LOGGER_JSON_TLS             IPv4       6            16            37534         193773         81578          1.3m  16.61 
LOGGER_JSON_FILE            IPv4       6            14            69019         223817        104710          1.5m  18.65 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1677             2580         238141         26247        44.0m  10.16 
payload                           IPv4      17            14            16439          55875         37898       530.6k  0.12  
stream                            IPv4       6          1677             2540         409448         49325        82.7m  19.09 
http_uri                          IPv4       6            18             4374          15227          6520       117.4k  0.03  
http_request_line                 IPv4       6            18             5017           9217          6921       124.6k  0.03  
http_client_body                  IPv4       6            18             3004           7645          3773        67.9k  0.02  
http_header (request)             IPv4       6            18            55354         119564         89698         1.6m  0.37  
http_header (request trailer)     IPv4       6            18             2581           3067          2668        48.0k  0.01  
http_header_names (request)       IPv4       6            18            13785          36823         20219       364.0k  0.08  
http_accept (request)             IPv4       6            18             3229           7771          4018        72.3k  0.02  
http_referer (request)            IPv4       6            18             2847          32223          4873        87.7k  0.02  
http_content_len (request)        IPv4       6            18             2945          22705          4428        79.7k  0.02  
http_content_type (request)       IPv4       6            18             2837           4110          3490        62.8k  0.01  
http_protocol (request)           IPv4       6            18             3912           7585          5677       102.2k  0.02  
http_start (request)              IPv4       6            18            11952          31549         18238       328.3k  0.08  
http_raw_header (request)         IPv4       6            18            13452          21976         18954       341.2k  0.08  
http_method                       IPv4       6            18             4426          19196          7235       130.2k  0.03  
http_cookie (request)             IPv4       6            18             2835          17953         11492       206.9k  0.05  
http_raw_uri                      IPv4       6            18             2954           7686          3771        67.9k  0.02  
http_user_agent                   IPv4       6            18            30846          63637         47252       850.5k  0.20  
http_host                         IPv4       6            18             3828          19528          7064       127.2k  0.03  
dns_query                         IPv4      17             7             8480          15988         12229        85.6k  0.02  
tls_sni                           IPv4       6            16             4969          10011          8056       128.9k  0.03  
http_response_line                IPv4       6            14             5301          25654         10510       147.1k  0.03  
http_header (response)            IPv4       6            14            15888          85049         48741       682.4k  0.16  
http_header (response trailer)    IPv4       6            12             2649         144563         21349       256.2k  0.06  
http_content_type (response)      IPv4       6            14             4706          14302          9599       134.4k  0.03  
http_raw_header (response)        IPv4       6          1484             3459          95853          4386         6.5m  1.50  
http_cookie (response)            IPv4       6            14             2941           3655          3204        44.9k  0.01  
http_stat_code                    IPv4       6            14             3168           5737          4360        61.0k  0.01  
tls_cert_issuer                   IPv4       6            16             4801           9528          7128       114.1k  0.03  
tls_cert_subject                  IPv4       6            16             5141          10405          8033       128.5k  0.03  
tls_cert_serial                   IPv4       6            16             3954           6526          5264        84.2k  0.02  
file_data (http response)         IPv4       6          1472             2566        9689637        198888       292.8m  67.58 
Total                             IPv4                  6801                                         63696       433.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           102             3326         123206         41927          4.3m  0.20  
PROF_DETECT_IPONLY          IPv4      17            14            36547          77301         50209        702.9k  0.03  
PROF_DETECT_RULES           IPv4       6         11196             2523        6474418         40971        458.7m  21.13 
PROF_DETECT_RULES           IPv4      17            14           194855         294896        240101          3.4m  0.15  
PROF_DETECT_STATEFUL_START    IPv4       6          2325             5099        6366946        102285        237.8m  10.96 
PROF_DETECT_STATEFUL_CONT    IPv4       6         11196             2511         399852          6764         75.7m  3.49  
PROF_DETECT_STATEFUL_CONT    IPv4      17            14             5351          55146          9606        134.5k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         10945             2541        5638072          3731         40.8m  1.88  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            14             2651           3393          2955         41.4k  0.00  
PROF_DETECT_PREFILTER       IPv4       6         11196             7754       15404297         58954        660.1m  30.41 
PROF_DETECT_PREFILTER       IPv4      17            14            55905         137587         77084          1.1m  0.05  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1677            13558        6322579         87578        146.9m  6.77  
PROF_DETECT_PF_PAYLOAD      IPv4      17            14            21767          96060         47475        664.7k  0.03  
PROF_DETECT_PF_TX           IPv4       6         10945             2544       15385876         33411        365.7m  16.85 
PROF_DETECT_PF_TX           IPv4      17             7            14091          22140         18132        126.9k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1322             2527        3415469          6062          8.0m  0.37  
PROF_DETECT_PF_SORT1        IPv4      17            14             3889           5675          4455         62.4k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6         11196             2513        1532003          2994         33.5m  1.54  
PROF_DETECT_PF_SORT2        IPv4      17            14             3115           5904          3808         53.3k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6         11196             2534          81224          3015         33.8m  1.56  
PROF_DETECT_NONMPMLIST      IPv4      17            14             2846           4269          3315         46.4k  0.00  
PROF_DETECT_ALERT           IPv4       6         11196             2518          73180          2824         31.6m  1.46  
PROF_DETECT_ALERT           IPv4      17            14             2534          11050          3394         47.5k  0.00  
PROF_DETECT_CLEANUP         IPv4       6         11196             2551          59836          2938         32.9m  1.52  
PROF_DETECT_CLEANUP         IPv4      17            14             3017           4586          3620         50.7k  0.00  
PROF_DETECT_GETSGH          IPv4       6         11196             2518          89951          3060         34.3m  1.58  
PROF_DETECT_GETSGH          IPv4      17            14             5568           7156          6316         88.4k  0.00  


suricata-4.0.0-etpro-all-alert-2018-11-24-T-06-43-11-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (1296 bytes) - download
1
2
3
4
5
6
11/23/2018-17:45:05.767380  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.769051  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:45.581295  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2819694:2] ETPRO TROJAN Locky JS Executable Payload Download [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.581295  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465


stats.log - (3531 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
------------------------------------------------------------------------------------
Date: 11/24/2018 -- 06:43:11 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 11179
decoder.bytes                              | Total                     | 6503078
decoder.ipv4                               | Total                     | 11179
decoder.ethernet                           | Total                     | 11179
decoder.tcp                                | Total                     | 11165
decoder.udp                                | Total                     | 14
decoder.avg_pkt_size                       | Total                     | 581
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 65
flow.udp                                   | Total                     | 7
tcp.sessions                               | Total                     | 65
tcp.syn                                    | Total                     | 135
tcp.synack                                 | Total                     | 30
tcp.rst                                    | Total                     | 26
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 3
tcp.insert_list_fail                       | Total                     | 249
detect.alert                               | Total                     | 6
detect.mpm_list                            | Total                     | 1
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 1
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 18
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 7
app_layer.tx.dns_udp                       | Total                     | 7
flow_mgr.closed_pruned                     | Total                     | 3
flow_mgr.new_pruned                        | Total                     | 4
flow_mgr.est_pruned                        | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 15
flow_mgr.flows_notimeout                   | Total                     | 8
flow_mgr.flows_timeout                     | Total                     | 7
flow_mgr.flows_timeout_inuse               | Total                     | 5
flow_mgr.flows_removed                     | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65521
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7078624


eve.json - (41152 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{"timestamp":"2018-11-23T17:45:05.447352+0000","flow_id":1264679907349368,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.23.101","src_port":60374,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47151,"rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1264679907349368,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","ttl":14400,"rdata":"64.187.229.195"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1264679907349368,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns2.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1264679907349368,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns1.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.767380+0000","flow_id":178907879899512,"pcap_cnt":85,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.769051+0000","flow_id":178907879899512,"pcap_cnt":101,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.821936+0000","flow_id":178907879899512,"pcap_cnt":163,"event_type":"http","src_ip":"10.11.23.101","src_port":49463,"dest_ip":"64.187.229.195","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-23T17:45:10.769725+0000","flow_id":178907879899512,"pcap_cnt":165,"event_type":"fileinfo","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97130},"app_proto":"http","fileinfo":{"filename":"BF_COUPON_5302.doc","gaps":false,"state":"CLOSED","stored":false,"size":97024,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.227354+0000","flow_id":1771138158524442,"pcap_cnt":169,"event_type":"dns","src_ip":"10.11.23.101","src_port":54988,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47911,"rrname":"www.atlantictoursrd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1771138158524442,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"www.atlantictoursrd.com","rrtype":"CNAME","ttl":10800,"rdata":"atlantictoursrd.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1771138158524442,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"A","ttl":10800,"rdata":"166.62.74.3"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1771138158524442,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns40.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1771138158524442,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns39.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.480093+0000","flow_id":1399159630954651,"pcap_cnt":177,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:45:45.576387+0000","flow_id":1399159630954651,"pcap_cnt":179,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.atlantictoursrd.com\/dWUYS8Xoq\/","length":249},"app_proto":"http","fileinfo":{"filename":"\/dWUYS8Xoq","gaps":false,"state":"CLOSED","stored":false,"size":249,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":1399159630954651,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":1399159630954651,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":1399159630954651,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2819694,"rev":2,"signature":"ETPRO TROJAN Locky JS Executable Payload Download","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-23T17:45:45.581295+0000","flow_id":1399159630954651,"pcap_cnt":204,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-23T17:45:45.654007+0000","flow_id":1399159630954651,"pcap_cnt":347,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-23T17:47:32.195554+0000","flow_id":477829023308826,"pcap_cnt":367,"event_type":"http","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:48:30.777030+0000","flow_id":477829023308826,"pcap_cnt":369,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-11-23T17:48:32.707595+0000","flow_id":477829023308826,"pcap_cnt":379,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1129},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":1129,"tx_id":1}}
{"timestamp":"2018-11-23T17:50:24.404762+0000","flow_id":1819246103514413,"pcap_cnt":409,"event_type":"http","src_ip":"10.11.23.101","src_port":49472,"dest_ip":"74.56.138.57","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"74.56.138.57","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-23T17:52:29.770133+0000","flow_id":547418243555503,"pcap_cnt":1036,"event_type":"fileinfo","src_ip":"190.210.251.29","src_port":80,"dest_ip":"10.11.23.101","dest_port":49476,"proto":"TCP","http":{"hostname":"190.210.251.29","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":322581},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":322581,"tx_id":0}}
{"timestamp":"2018-11-23T17:53:57.835470+0000","flow_id":1329531800798693,"pcap_cnt":1916,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:53:58.019690+0000","flow_id":1329531800798693,"pcap_cnt":1918,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":501284},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":501284,"tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.042265+0000","flow_id":1058631033726233,"pcap_cnt":1919,"event_type":"dns","src_ip":"10.11.23.101","src_port":51092,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19283,"rrname":"usa.usagolfcar.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1058631033726233,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"198.55.107.148"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1058631033726233,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"104.223.89.132"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1058631033726233,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns77.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1058631033726233,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns78.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.408318+0000","flow_id":1329531800798693,"pcap_cnt":1927,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:54:00.235679+0000","flow_id":337589776564684,"pcap_cnt":1929,"event_type":"tls","src_ip":"10.11.23.101","src_port":49481,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc","issuerdn":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc"}}
{"timestamp":"2018-11-23T17:54:01.415957+0000","flow_id":1329531800798693,"pcap_cnt":1943,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2018-11-23T17:54:02.993418+0000","flow_id":837599131895668,"pcap_cnt":1946,"event_type":"tls","src_ip":"10.11.23.101","src_port":49482,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld","issuerdn":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld"}}
{"timestamp":"2018-11-23T17:49:47.049875+0000","flow_id":1399159630954651,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TC

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2018-11-24-T-06-43-11-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (68055 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:43:11. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2819664      1        2        40219820     10.49  219      0        6233977     183652.15   0.00        183652.15  
  2        2820157      1        2        43482111     11.34  240      0        6204046     181175.46   0.00        181175.46  
  3        2820851      1        5        2189094      0.57   18       0        1500274     121616.33   0.00        121616.33  
  4        2816328      1        5        1908916      0.50   18       0        1411671     106050.89   0.00        106050.89  
  5        2815453      1        4        9011742      2.35   10       0        1138749     901174.20   0.00        901174.20  
  6        2016502      1        2        2026435      0.53   264      0        400441      7675.89     0.00        7675.89    
  7        2820158      1        2        37062966     9.67   240      0        295919      154429.02   0.00        154429.02  
  8        2819930      1        2        33637032     8.78   219      0        286056      153593.75   0.00        153593.75  
  9        2809148      1        2        242290       0.06   1        0        242290      242290.00   0.00        242290.00  
  10       2819940      1        3        1822263      0.48   12       0        240712      151855.25   0.00        151855.25  
  11       2012520      1        7        212185       0.06   1        1        212185      212185.00   212185.00   0.00       
  12       2020865      1        3        25836195     6.74   201      0        205251      128538.28   0.00        128538.28  
  13       2809149      1        2        205108       0.05   1        0        205108      205108.00   0.00        205108.00  
  14       2016855      1        2        187239       0.05   1        0        187239      187239.00   0.00        187239.00  
  15       2816510      1        3        1777898      0.46   12       0        180917      148158.17   0.00        148158.17  
  16       2021735      1        4        460841       0.12   16       0        160806      28802.56    0.00        28802.56   
  17       2830701      1        1        1255761      0.33   14       0        156824      89697.21    0.00        89697.21   
  18       2016854      1        3        147431       0.04   1        0        147431      147431.00   0.00        147431.00  
  19       2017373      1        6        814163       0.21   7        0        146543      116309.00   0.00        116309.00  
  20       2803027      1        6        893050       0.23   28       0        135963      31894.64    0.00        31894.64   
  21       2018342      1        2        1202602      0.31   11       0        135923      109327.45   0.00        109327.45  
  22       2019344      1        5        1036499      0.27   17       1        134938      60970.53    134938.00   56347.56   
  23       2814961      1        5        446951       0.12   16       0        134687      27934.44    0.00        27934.44   
  24       2019837      1        3        150564       0.04   9        1        127498      16729.33    127498.00   2883.25    
  25       2816909      1        2        1181439      0.31   18       0        125491      65635.50    0.00        65635.50   
  26       2022339      1        2        889337       0.23   17       0        122345      52313.94    0.00        52313.94   
  27       2024769      1        2        973707       0.25   10       0        122008      97370.70    0.00        97370.70   
  28       2804927      1        2        278749       0.07   19       0        117278      14671.00    0.00        14671.00   
  29       2021736      1        3        415487       0.11   16       0        116686      25967.94    0.00        25967.94   
  30       2024228      1        3        1587796      0.41   23       0        113887      69034.61    0.00        69034.61   
  31       2018358      1        7        1430968      0.37   17       0        110784      84174.59    0.00        84174.59   
  32       2806802      1        2        9611874      2.51   472      0        109771      20364.14    0.00        20364.14   
  33       2814979      1        2        1153542      0.30   16       0        106958      72096.38    0.00        72096.38   
  34       2022049      1        3        558769       0.15   17       2        106511      32868.76    91259.00    25083.40   
  35       2822213      1        2        932936       0.24   16       0        100914      58308.50    0.00        58308.50   
  36       2827279      1        5        1143141      0.30   18       0        100125      63507.83    0.00        63507.83   
  37       2828008      1        2        1087274      0.28   18       0        98964       60404.11    0.00        60404.11   
  38       2019613      1        3        120095       0.03   8        1        97294       15011.88    97294.00    3257.29    
  39       2024650      1        1        2273317      0.59   322      0        94883       7059.99     0.00        7059.99    
  40       2828060      1        4        491744       0.13   12       0        93498       40978.67    0.00        40978.67   
  41       2811447      1        2        1594422      0.42   56       0        91892       28471.82    0.00        28471.82   
  42       2828122      1        2        612593       0.16   17       1        88964       36034.88    74031.00    33660.12   
  43       2022552      1        2        4460704      1.16   214      0        88101       20844.41    0.00        20844.41   
  44       2021743      1        4        374568       0.10   16       0        87174       23410.50    0.00        23410.50   
  45       2814978      1        2        1065853      0.28   16       0        85578       66615.81    0.00        66615.81   
  46       2816910      1        2        1073588      0.28   18       0        84834       59643.78    0.00        59643.78   
  47       2014519      1        7        4416682      1.15   220      0        84827       20075.83    0.00        20075.83   
  48       2024909      1        2        2105346      0.55   105      0        80688       20050.91    0.00        20050.91   
  49       2815324      1        2        666439       0.17   17       0        79387       39202.29    0.00        39202.29   
  50       2022054      1        3        153531       0.04   2        0        79336       76765.50    0.00        76765.50   
  51       2804906      1        3        668335       0.17   35       0        78931       19095.29    0.00        19095.29   
  52       2025064      1        5        744579       0.19   18       0        78927       41365.50    0.00        41365.50   
  53       2816940      1        2        1038885      0.27   18       0        77704       57715.83    0.00        57715.83   
  54       2802991      1        5        458313       0.12   28       0        77466       16368.32    0.00        16368.32   
  55       2017552      1        6        21326533     5.56   1498     0        76641       14236.67    0.00        14236.67   
  56       2810481      1        4        5308344      1.38   260      0        74702       20416.71    0.00        20416.71   
  57       2816525      1        10       679379       0.18   18       0        74296       37743.28    0.00        37743.28   
  58       2021418      1        9        70824        0.02   1        0        70824       70824.00    0.00        70824.00   
  59       2020793      1        2        68671        0.02   1        0        68671       68671.00    0.00        68671.00   
  60       2018958      1        18       763715       0.20   17       0        68332       44924.41    0.00        44924.41   
  61       2018005      1        6        781645       0.20   16       0        67816       48852.81    0.00        48852.81   
  62       2018452      1        15       678645       0.18   17       0        67592       39920.29    0.00        39920.29   
  63       2821561      1        2        603414       0.16   15       0        66978       40227.60    0.00        40227.60   
  64       2022220      1        2        649464       0.17   17       0        66974       38203.76    0.00        38203.76   
  65       2816165      1        5        678009       0.18   18       0        66562       37667.17    0.00        37667.17   
  66       2018576      1        4        257202       0.07   11       0        66276       23382.00    0.00        23382.00   
  67       2823570      1        4        423239       0.11   14       0        66077       30231.36    0.00        30231.36   
  68       2809363      1        3        65950        0.02   1        0        65950       65950.00    0.00        65950.00   
  69       2022503      1        2        632342       0.16   17       0        65600       37196.59    0.00        37196.59   
  70       2801929      1        7        334779       0.09   26       0        65351       12876.12    0.00        12876.12   
  71       2802987      1        5        398091       0.10   26       0        64841       15311.19    0.00        15311.19   
  72       2023671      1        4        64398        0.02   1        0        64398       64398.00    0.00        64398.00   
  73       2816924      1        4        583964       0.15   18       0        63803       32442.44    0.00        32442.44   
  74       2819673      1        4        559679       0.15   18       0        63394       31093.28    0.00        31093.28   
  75       2816922      1        5        538293       0.14   18       0        62160       29905.17    0.00        29905.17   
  76       2018241      1        2        61166        0.02   1        0        61166       61166.00    0.00        61166.00   
  77       2815817      1        5        617501       0.16   18       0        60722       34305.61    0.00        34305.61   
  78       2815364      1        2        60448        0.02   1        0        60448       60448.00    0.00        60448.00   
  79       2016537      1        2        21216383     5.54   1480     0        60095       14335.39    0.00        14335.39   
  80       2017816      1        4        561371       0.15   16       0        59782       35085.69    0.00        35085.69   
  81       2816929      1        4        576925       0.15   18       0        59132       32051.39    0.00        32051.39   
  82       2823937      1        13       139611       0.04   12       0        57963       11634.25    0.00        11634.25   
  83       2023679      1        3        57032        0.01   1        0        57032       57032.00    0.00        57032.00   
  84       2821839      1        2        56798        0.01   1        0        56798       56798.00    0.00        56798.00   
  85       2022262      1        3        550742       0.14   17       0        56275       32396.59    0.00        32396.59   
  86       2021413      1        2        56189        0.01   1        0        56189       56189.00    0.00        56189.00   
  87       2018010      1        5        405038       0.11   17       0        55591       23825.76    0.00        23825.76   
  88       2816931      1        3        547575       0.14   18       0        55000       30420.83    0.00        30420.83   
  89       2810276      1        6        53286        0.01   1        0        53286       53286.00    0.00        53286.00   
  90       2022207      1        4        525425       0.14   17       0        52863       30907.35    0.00        30907.35   
  91       2828986      1        2        388319       0.10   12       0        52643       32359.92    0.00        32359.92   
  92       2018959      1        3        52443        0.01   1        1        52443       52443.00    52443.00    0.00       
  93       2009702      1        5        229064       0.06   14       0        52171       16361.71    0.00        16361.71   
  94       2023315      1        2        638009       0.17   17       0        52135       37529.94    0.00        37529.94   
  95       2020388      1        8        463604       0.12   18       0        51853       25755.78    0.00        25755.78   
  96       2001330      1        8        4342418      1.13   1513     0        51845       2870.07     0.00        2870.07    
  97       2801930      1        7        302053       0.08   26       0        51462       11617.42    0.00        11617.42   
  98       2804907      1        3        427763       0.11   33       0        51212       12962.52    0.00        12962.52   
  99       2022901      1        2        51129        0.01   1        0        51129       51129.00    0.00        51129.00   
  100      2803657      1        5        204620       0.05   15       0        50989       13641.33    0.00        13641.33   
  101      2018242      1        5        583800       0.15   17       0        50852       34341.18    0.00        34341.18   
  102      2823858      1        3        50810        0.01   1        0        50810       50810.00    0.00        50810.00   
  103      2804626      1        9        422140       0.11   18       0        50755       23452.22    0.00        23452.22   
  104      2822979      1        3        90667        0.02   2        0        50674       45333.50    0.00        45333.50   
  105      2008308      1        3        118684       0.03   24       0        50322       4945.17     0.00        4945.17    
  106      2023670      1        3        628755       0.16   17       3        49606       36985.59    41521.33    36013.64   
  107      2816327      1        4        687112       0.18   18       0        49391       38172.89    0.00        38172.89   
  108      2016858      1        10       514139       0.13   17       0        48473       30243.47    0.00        30243.47   
  109      2821471      1        2        48144        0.01   1        0        48144       48144.00    0.00        48144.00   
  110      2828006      1        2        168642       0.04   5        0        48022       33728.40    0.00        33728.40   
  111      2019693      1        5        503921       0.13   17       0        48011       29642.41    0.00        29642.41   
  112      2019881      1        3        603809       0.16   17       0        47922       35518.18    0.00        35518.18   
  113      2018981      1        4        548461       0.14   17       0        47869       32262.41    0.00        32262.41   
  114      2804911      1        3        260613       0.07   23       0        47498       11331.00    0.00        11331.00   
  115      2021067      1        2        117513       0.03   3        2        47196       39171.00    43902.00    29709.00   
  116      2021070      1        2        79916        0.02   2        2        47014       39958.00    39958.00    0.00       
  117      2023672      1        4        46799        0.01   1        0        46799       46799.00    0.00        46799.00   
  118      2802881      1        3        49428        0.01   2        0        46590       24714.00    0.00        24714.00   
  119      2013352      1        4        46217        0.01   1        0        46217       46217.00    0.00        46217.00   
  120      2816930      1        4        507147       0.13   18       0        46095       28174.83    0.00        28174.83   
  121      2014353      1        6        45904        0.01   1        0        45904       45904.00    0.00        45904.00   
  122      2820003      1        2        1401926      0.37   227      0        45461       6175.89     0.00        6175.89    
  123      2024272      1        4        392919       0.10   14       0        44674       28065.64    0.00        28065.64   
  124      2019343      1        3        43942        0.01   1        0        43942       43942.00    0.00        43942.00   
  125      2008575      1        5        

This file has been truncated. Go here to download in full.


unified2.alert.1543041789 - (11384 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
4[ø<¡µ”Ñ!@»åÃ
ePÁ7Z[ø<¡[ø<¡µ”>E0mÚ@»åÃ
ePÁ7P„+̾q=v.drs/e2oDoc.xmlPK-!XG]Cà—drs/downrev.xmlPKó¤ðð
ððH
ðcð$®ê¿Ëÿ	?ð©
`úÿÿtúÿÿtúÿÿˆúÿÿt]pž¡¬®¿ÂËÎÔÖöøVXÈÖ	 "/9;EÔÝâôM	^	q	t	±	µ	Æ	¥
§
ª
¥
§
ª

å·^ù5ÎG-Ñj5p;án^=ª‰JÚwèJVÿÿVÿÿÿÿProject.wpdEzDp.AutoOpenPROJECT.WPDEZDP.AUTOOPEN@€©
@ÿÿUnknownÿÿÿÿÿÿÿÿÿÿÿÿGÿ*àAxÀ	ÿTimes New Roman5€Symbol3.ÿ*àCxÀ	ÿArial7.ÿáÿ¬@	ŸCalibri5&Ìÿ.á[`À)ÿTahomaC.,ï { @ŸZ[ø<¡[ø<¡µ”>E0mÚ@»åÃ
ePÁ7PŽCalibri LightACambria Math"1ˆðÐh̼k§Ì¼k§
—	!ð  ´´0¢
NáðüýÈP	ðÿ$Päÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿán^¶!xx ÑÈíIÜÿÿþÿ4[ø<¡¼Ñý@»åÃ
ePÁ7Z[ø<¡[ø<¡¼>E0mÚ@»åÃ
ePÁ7P¾ï	
þÿÿÿ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEþÿÿÿGHIJKLMNOPQRSTUVWXYþÿÿÿ[\]^_`aþÿÿÿcdefghiþÿÿÿýÿÿÿlmœþÿÿÿpqrstuv‚ýÿÿÿyz{|}~€Root Entryÿÿÿÿÿÿÿÿ	ÀFp±ºKGƒÔŒ@Data
ÿÿÿÿÿÿÿÿÿÿÿÿ
Ãq1TableZ[ø<¡[ø<¡¼>E0mÚ@»åÃ
ePÁ7PÒåÿÿÿÿÿÿÿÿFE&WordDocumentÿÿÿÿ.SummaryInformation(ÿÿÿÿÿÿÿÿÿÿÿÿZDocumentSummaryInformation
1f40
8ÿÿÿÿÿÿÿÿbMacrosÐOžKGƒÔp@¸KGƒÔVBAÿÿÿÿÿÿÿÿ	ÐOžKGƒÔpϵKGƒÔwpdEzDp
ÿÿÿÿxp7__SRP_2
ÿÿÿÿ$__SRP_3ÿÿÿÿÿÿÿÿg_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿ“/þÿÿÿþÿÿÿ	

þÿ4[ø<ÉÞ¯Ώ!¦>J
ePÁ9Z[ø<É[ø<ÉÞ¯>E0¤¦>J
ePÁ9PÙM¸NF[¥{•u˜.ÝUŠºI¯tûú’w*´ßG&õ
Î9:ŽŒ2utö¢ø%[XlKOŸ[3µzꎽ/•‚$ޜ	8,wA¿ËR¤íø¬]tþQ®ÚØ|ƒ°ˆ,òt3;[Ô
Áõ•ØåOºµÙ?6ï–}¿Ý¦çp­n³úÕEÑÓz}¯Í§KĖ1kWkŽýÀ¾'~ýY7™Fp÷AáÓå7'u¶åª>¾ÊͲº« Ä7㣣,.:‘¿Odiœ1·½SöEU¶“qbeE®’ôÐÇ«—
;3»¹êÓ±/8%ž/õÑxŸ,ʌ£h9è:ÎY8?ø²_­7ùíyi]*»k¬¦þÉZC2Dz.e#¯ÝØå=ìY4.·¼zü¶bQÓÔÉ>X3nYå~¾7õ…I‘bf&ãý‡â“§R}ÝrÅõíƒÔáÜã_¿}|ä¶^ÜJzd´AžÓ¬í~[Á;ÍOê·Oöñû„–…¿{ùå°z°k€»é 銝[i玿ÓÕ8UzÑ`ª²vݾóç%ž_e0YuŽ¤`B›úpN,<ö°µâ½ÇÍ÷¡nñþ-›ý72ª‰ïÍüØm™iîhÐüô?fCñòl»{ñ£–&ª2VÆ^dÔ'Uk3KMä%ö‡µÇ
ˆuÆŠŽ½X®qÖxQr7ýùÉáGÈwWÎêIµ®ÞÔrâ+5¹FzáœÍØI”‡;à°ÈՆÅÎJÉsõìQC³K½Qú2Íöçozßzžú¦j‰a®'ÍÊ+&¯u»¯.?ó£ُ“BªëîÖϽÈ^7¹Õñ°±¤ù‡¶-ãçf
þo°Æ¼§,Øǖ4Š绽T-Íæ8xZ12õ£?ŽЖg§1
?º-aÎpK–ðáçD!ƒ°oˆ‚&×iI®ßë]»4ØÊlGrŠÆÎǺ[ºÝg˜~7(Сr¥&x^³†‹×£tuK锉^LÚÌû,¯è±Ç—Kb—ßq~Ùèí¶å©°»h9º«ï¹8ðžAfñ>†\Vp7šÕ§±xd‡ý݋2ͤj³èrÚa¦P›ú«5…ù-*J7>¶|ª“^Ý.õû&p<÷»æ¾£ÈniÀC珺ÄSöægèç×ï39uÙSØô²Ø?NW~žoÖSìsFm?5ó,ƒH¼[=͕7è9³Æ—xŸÏ'^®óŽˆrþâ9Yfyù‘™«õŒ#Ã+gŽž¦y°>aÊ1`¸ÒÚlxR)šéÕ¥j§Ÿ5‰ÓðôÛí¬Š3-,
’/}›4jz~Rx~µä–L7±}˵ªÚ}ÓpՁgãqu1]Á×xüît3…ÕêÖ$ à$“™“ÄgÖvPŸïÐȲÜSÑë;F"ÙÊzÞÆ8MŸGQ´*qL¥nªÑ›¶üíá¸D¡L~‡Lþ¬{Ç{æñÁÛè]ºX–€Öõy̕g#}í/nØ÷=<mkh@ÿü؆£IŸP;Î*,_.=~R«³Ð››Eïw{,†Òæ¦#Å49§ ô‹ÇÙ珛¶½H.Ã38'•ÂÊYþ¾W¯4sÀs™íMôý0aª]Ç·oôS3'V~FË´u†žÑ`hÑØ«W^8÷#¿ÅDZ“(~²%]kc”FnœÁÿ‘k›°
Æ,u]Ö š%KRQõjíãï÷l}Dϸ©g¾:ºÀüÙýBh4[ø<ÉÞ¯Ú¥¦>J
ePÁ9Z[ø<É[ø<ÉÞ¯>E0¤¦>J
ePÁ9PÙM¸NF[¥{•u˜.ÝUŠºI¯tûú’w*´ßG&õ
Î9:ŽŒ2utö¢ø%[XlKOŸ[3µzꎽ/•‚$ޜ	8,wA¿ËR¤íø¬]tþQ®ÚØ|ƒ°ˆ,òt3;[Ô
Áõ•ØåOºµÙ?6ï–}¿Ý¦çp­n³úÕEÑÓz}¯Í§KĖ1kWkŽýÀ¾'~ýY7™Fp÷AáÓå7'u¶åª>¾ÊͲº« Ä7㣣,.:‘¿Odiœ1·½SöEU¶“qbeE®’ôÐÇ«—
;3»¹êÓ±/8%ž/õÑxŸ,ʌ£h9è:ÎY8?ø²_­7ùíyi]*»k¬¦þÉZC2Dz.e#¯ÝØå=ìY4.·¼zü¶bQÓÔÉ>X3nYå~¾7õ…I‘bf&ãý‡â“§R}ÝrÅõíƒÔáÜã_¿}|ä¶^ÜJzd´AžÓ¬í~[Á;ÍOê·Oöñû„–…¿{ùå°z°k€»é 銝[i玿ÓÕ8UzÑ`ª²vݾóç%ž_e0YuŽ¤`B›úpN,<ö°µâ½ÇÍ÷¡nñþ-›ý72ª‰ïÍüØm™iîhÐüô?fCñòl»{ñ£–&ª2VÆ^dÔ'Uk3KMä%ö‡µÇ
ˆuÆŠŽ½X®qÖxQr7ýùÉáGÈwWÎêIµ®ÞÔrâ+5¹FzáœÍØI”‡;à°ÈՆÅÎJÉsõìQC³K½Qú2Íöçozßzžú¦j‰a®'ÍÊ+&¯u»¯.?ó£ُ“BªëîÖϽÈ^7¹Õñ°±¤ù‡¶-ãçf
þo°Æ¼§,Øǖ4Š绽T-Íæ8xZ12õ£?ŽЖg§1
?º-aÎpK–ðáçD!ƒ°oˆ‚&×iI®ßë]»4ØÊlGrŠÆÎǺ[ºÝg˜~7(Сr¥&x^³†‹×£tuK锉^LÚÌû,¯è±Ç—Kb—ßq~Ùèí¶å©°»h9º«ï¹8ðžAfñ>†\Vp7šÕ§±xd‡ý݋2ͤj³èrÚa¦P›ú«5…ù-*J7>¶|ª“^Ý.õû&p<÷»æ¾£ÈniÀC珺ÄSöægèç×ï39uÙSØô²Ø?NW~žoÖSìsFm?5ó,ƒH¼[=͕7è9³Æ—xŸÏ'^®óŽˆrþâ9Yfyù‘™«õŒ#Ã+gŽž¦y°>aÊ1`¸ÒÚlxR)šéÕ¥j§Ÿ5‰ÓðôÛí¬Š3-,
’/}›4jz~Rx~µä–L7±}˵ªÚ}ÓpՁgãqu1]Á×xüît3…ÕêÖ$ à$“™“ÄgÖvPŸïÐȲÜSÑë;F"ÙÊzÞÆ8MŸGQ´*qL¥nªÑ›¶üíá¸D¡L~‡Lþ¬{Ç{æñÁÛè]ºX–€Öõy̕g#}í/nØ÷=<mkh@ÿü؆£IŸP;Î*,_.=~R«³Ð››Eïw{,†Òæ¦#Å49§ ô‹ÇÙ珛¶½H.Ã38'•ÂÊYþ¾W¯4sÀs™íMôý0aª]Ç·oôS3'V~FË´u†žÑ`hÑØ«W^8÷#¿ÅDZ“(~²%]kc”FnœÁÿ‘k›°
Æ,u]Ö š%KRQõjíãï÷l}Dϸ©g¾:ºÀüÙýBh4[ø<ÉÞ¯+n¦>J
ePÁ9Z[ø<É[ø<ÉÞ¯>E0¤¦>J
ePÁ9PÙM¸NF[¥{•u˜.ÝUŠºI¯tûú’w*´ßG&õ
Î9:ŽŒ2utö¢ø%[XlKOŸ[3µzꎽ/•‚$ޜ	8,wA¿ËR¤íø¬]tþQ®ÚØ|ƒ°ˆ,òt3;[Ô
Áõ•ØåOºµÙ?6ï–}¿Ý¦çp­n³úÕEÑÓz}¯Í§KĖ1kWkŽýÀ¾'~ýY7™Fp÷AáÓå7'u¶åª>¾ÊͲº« Ä7㣣,.:‘¿Odiœ1·½SöEU¶“qbeE®’ôÐÇ«—
;3»¹êÓ±/8%ž/õÑxŸ,ʌ£h9è:ÎY8?ø²_­7ùíyi]*»k¬¦þÉZC2Dz.e#¯ÝØå=ìY4.·¼zü¶bQÓÔÉ>X3nYå~¾7õ…I‘bf&ãý‡â“§R}ÝrÅõíƒÔáÜã_¿}|ä¶^ÜJzd´AžÓ¬í~[Á;ÍOê·Oöñû„–…¿{ùå°z°k€»é 銝[i玿ÓÕ8UzÑ`ª²vݾóç%ž_e0YuŽ¤`B›úpN,<ö°µâ½ÇÍ÷¡nñþ-›ý72ª‰ïÍüØm™iîhÐüô?fCñòl»{ñ£–&ª2VÆ^dÔ'Uk3KMä%ö‡µÇ
ˆuÆŠŽ½X®qÖxQr7ýùÉáGÈwWÎêIµ®ÞÔrâ+5¹FzáœÍØI”‡;à°ÈՆÅÎJÉsõìQC³K½Qú2Íöçozßzžú¦j‰a®'ÍÊ+&¯u»¯.?ó£ُ“BªëîÖϽÈ^7¹Õñ°±¤ù‡¶-ãçf
þo°Æ¼§,Øǖ4Š绽T-Íæ8xZ12õ£?ŽЖg§1
?º-aÎpK–ðáçD!ƒ°oˆ‚&×iI®ßë]»4ØÊlGrŠÆÎǺ[ºÝg˜~7(Сr¥&x^³†‹×£tuK锉^LÚÌû,¯è±Ç—Kb—ßq~Ùèí¶å©°»h9º«ï¹8ðžAfñ>†\Vp7šÕ§±xd‡ý݋2ͤj³èrÚa¦P›ú«5…ù-*J7>¶|ª“^Ý.õû&p<÷»æ¾£ÈniÀC珺ÄSöægèç×ï39uÙSØô²Ø?NW~žoÖSìsFm?5ó,ƒH¼[=͕7è9³Æ—xŸÏ'^®óŽˆrþâ9Yfyù‘™«õŒ#Ã+gŽž¦y°>aÊ1`¸ÒÚlxR)šéÕ¥j§Ÿ5‰ÓðôÛí¬Š3-,
’/}›4jz~Rx~µä–L7±}˵ªÚ}ÓpՁgãqu1]Á×xüît3…ÕêÖ$ à$“™“ÄgÖvPŸïÐȲÜSÑë;F"ÙÊzÞÆ8MŸGQ´*qL¥nªÑ›¶üíá¸D¡L~‡Lþ¬{Ç{æñÁÛè]ºX–€Öõy̕g#}í/nØ÷=<mkh@ÿü؆£IŸP;Î*,_.=~R«³Ð››Eïw{,†Òæ¦#Å49§ ô‹ÇÙ珛¶½H.Ã38'•ÂÊYþ¾W¯4sÀs™íMôý0aª]Ç·oôS3'V~FË´u†žÑ`hÑØ«W^8÷#¿ÅDZ“(~²%]kc”FnœÁÿ‘k›°
Æ,u]Ö š%KRQõjíãï÷l}Dϸ©g¾:ºÀüÙýBh4[ø<ÉÞ¯½8¦>J
ePÁ9Z[ø<É[ø<ÉÞ¯>E0¤¦>J
ePÁ9PÙM¸NF[¥{•u˜.ÝUŠºI¯tûú’w*´ßG&õ
Î9:ŽŒ2utö¢ø%[XlKOŸ[3µzꎽ/•‚$ޜ	8,wA¿ËR¤íø¬]tþQ®ÚØ|ƒ°ˆ,òt3;[Ô
Áõ•ØåOºµÙ?6ï–}¿Ý¦çp­n³úÕEÑÓz}¯Í§KĖ1kWkŽýÀ¾'~ýY7™Fp÷AáÓå7'u¶åª>¾ÊͲº« Ä7㣣,.:‘¿Odiœ1·½SöEU¶“qbeE®’ôÐÇ«—
;3»¹êÓ±/8%ž/õÑxŸ,ʌ£h9è:ÎY8?ø²_­7ùíyi]*»k¬¦þÉZC2Dz.e#¯ÝØå=ìY4.·¼zü¶bQÓÔÉ>X3nYå~¾7õ…I‘bf&ãý‡â“§R}ÝrÅõíƒÔáÜã_¿}|ä¶^ÜJzd´AžÓ¬í~[Á;ÍOê·Oöñû„–…¿{ùå°z°k€»é 銝[i玿ÓÕ8UzÑ`ª²vݾóç%ž_e0YuŽ¤`B›úpN,<ö°µâ½ÇÍ÷¡nñþ-›ý72ª‰ïÍüØm™iîhÐüô?fCñòl»{ñ£–&ª2VÆ^dÔ'Uk3KMä%ö‡µÇ
ˆuÆŠŽ½X®qÖxQr7ýùÉáGÈwWÎêIµ®ÞÔrâ+5¹FzáœÍØI”‡;à°ÈՆÅÎJÉsõìQC³K½Qú2Íöçozßzžú¦j‰a®'ÍÊ+&¯u»¯.?ó£ُ“BªëîÖϽÈ^7¹Õñ°±¤ù‡¶-ãçf
þo°Æ¼§,Øǖ4Š绽T-Íæ8xZ12õ£?ŽЖg§1
?º-aÎpK–ðáçD!ƒ°oˆ‚&×iI®ßë]»4ØÊlGrŠÆÎǺ[ºÝg˜~7(Сr¥&x^³†‹×£tuK锉^LÚÌû,¯è±Ç—Kb—ßq~Ùèí¶å©°»h9º«ï¹8ðžAfñ>†\Vp7šÕ§±xd‡ý݋2ͤj³èrÚa¦P›ú«5…ù-*J7>¶|ª“^Ý.õû&p<÷»æ¾£ÈniÀC珺ÄSöægèç×ï39uÙSØô²Ø?NW~žoÖSìsFm?5ó,ƒH¼[=͕7è9³Æ—xŸÏ'^®óŽˆrþâ9Yfyù‘™«õŒ#Ã+gŽž¦y°>aÊ1`¸ÒÚlxR)šéÕ¥j§Ÿ5‰ÓðôÛí¬Š3-,
’/}›4jz~Rx~µä–L7±}˵ªÚ}ÓpՁgãqu1]Á×xüît3…ÕêÖ$ à$“™“ÄgÖvPŸïÐȲÜSÑë;F"ÙÊzÞÆ8MŸGQ´*qL¥nªÑ›¶üíá¸D¡L~‡Lþ¬{Ç{æñÁÛè]ºX–€Öõy̕g#}í/nØ÷=<mkh@ÿü؆£IŸP;Î*,_.=~R«³Ð››Eïw{,†Òæ¦#Å49§ ô‹ÇÙ珛¶½H.Ã38'•ÂÊYþ¾W¯4sÀs™íMôý0aª]Ç·oôS3'V~FË´u†žÑ`hÑØ«W^8÷#¿ÅDZ“(~²%]kc”FnœÁÿ‘k›°
Æ,u]Ö š%KRQõjíãï÷l}Dϸ©g¾:ºÀüÙýBh


keyword_perf.log - (16560 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:43:11
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             24822109        8122            8122            64980           3056.00         3056.00         0.00           
  content          153987543       7477            3319            6183457         20594.00        21161.00        20142.00       
  pcre             8301390         2127            206             39562           3902.00         6432.00         3631.00        
  byte_test        661911          202             85              18087           3276.00         3660.00         2998.00        
  byte_jump        100871          30              10              8613            3362.00         3139.00         3474.00        
  isdataat         34724           7               0               17701           4960.00         0.00            4960.00        
  flowbits         3164171         1087            36              47064           2910.00         4347.00         2861.00        
  urilen           1512128         476             90              21935           3176.00         3209.00         3169.00        
  byte_extract     224996          66              66              25575           3409.00         3409.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             24822109        8122            8122            64980           3056.00         3056.00         0.00           
  flowbits         3066152         1071            20              47064           2862.00         2925.00         2861.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7308991         1585            601             63982           4611.00         5253.00         4219.00        
  pcre             581067          91              12              24084           6385.00         8370.00         6083.00        
  byte_test        661911          202             85              18087           3276.00         3660.00         2998.00        
  byte_jump        60867           19              0               4218            3203.00         0.00            3203.00        
  isdataat         34724           7               0               17701           4960.00         0.00            4960.00        
  byte_extract     224996          66              66              25575           3409.00         3409.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         98019           16              16              26578           6126.00         6126.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          538726          142             36              23035           3793.00         3921.00         3750.00        
  pcre             660649          106             23              35697           6232.00         8548.00         5590.00        
  urilen           1512128         476             90              21935           3176.00         3209.00         3169.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          43414           13              0               4155            3339.00         0.00            3339.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          135739153       3277            896             6183457         41421.00        66064.00        32148.00       
  pcre             5292212         1646            0               39562           3215.00         0.00            3215.00        
  byte_jump        40004           11              10              8613            3636.00         3139.00         8613.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7253844         1654            1293            67679           4385.00         4421.00         4257.00        
  pcre             1449392         231             121             31723           6274.00         6068.00         6501.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          387500          108             70              4822            3587.00         3659.00         3456.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7309            2               2               4273            3654.00         3654.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6350            2               2               3466            3175.00         3175.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          93033           25              24              4320            3721.00         3732.00         3449.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          55754           16              16              4362            3484.00         3484.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4041            1               0               4041            4041.00         0.00            4041.00        
  pcre             17933           1               0               17933           17933.00        0.00            17933.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          432490          104             51              64990           4158.00         4892.00         3452.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             111429          14              14              29693           7959.00         7959.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1987256         511             325             32082           3888.00         4155.00         3423.00        
  pcre             182282          36              36              9993            5063.00         5063.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             6426            2               0               3383            3213.00         0.00            3213.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3186            1               0               3186            3186.00         0.00            3186.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- -----

This file has been truncated. Go here to download in full.


suricata-report-2018-11-24-T-06-43-11-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (18042 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
elapsedtime:22.790223
stderr:
stdout:
24/11/2018 -- 06:42:48 - <Info> - Configuration node 'rule-files' redefined.
24/11/2018 -- 06:42:48 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/11/2018 -- 06:42:48 - <Info> - CPUs/cores online: 1
24/11/2018 -- 06:42:48 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32402 and 'request-body-inspect-window' set to 15918 after randomization.
24/11/2018 -- 06:42:48 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32747 and 'response-body-inspect-window' set to 16960 after randomization.
24/11/2018 -- 06:42:48 - <Config> - DNS request flood protection level: 500
24/11/2018 -- 06:42:48 - <Config> - DNS per flow memcap (state-memcap): 524288
24/11/2018 -- 06:42:48 - <Config> - DNS global memcap: 16777216
24/11/2018 -- 06:42:48 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/11/2018 -- 06:42:48 - <Config> - preallocated 1000 hosts of size 136
24/11/2018 -- 06:42:48 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:42:48 - <Config> - using magic-file /usr/share/file/magic
24/11/2018 -- 06:42:48 - <Config> - Core dump size is unlimited.
24/11/2018 -- 06:42:48 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/11/2018 -- 06:42:48 - <Config> - preallocated 1000 defrag trackers of size 168
24/11/2018 -- 06:42:48 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/11/2018 -- 06:42:48 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/11/2018 -- 06:42:48 - <Config> - stream "memcap": 33554432
24/11/2018 -- 06:42:48 - <Config> - stream "midstream" session pickups: disabled
24/11/2018 -- 06:42:48 - <Config> - stream "async-oneside": disabled
24/11/2018 -- 06:42:48 - <Config> - stream "checksum-validation": disabled
24/11/2018 -- 06:42:48 - <Config> - stream."inline": disabled
24/11/2018 -- 06:42:48 - <Config> - stream "bypass": disabled
24/11/2018 -- 06:42:48 - <Config> - stream "max-synack-queued": 5
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly "memcap": 134217728
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly "depth": 0
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly "toserver-chunk-size": 2602
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly "toclient-chunk-size": 2449
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly.raw: enabled
24/11/2018 -- 06:42:48 - <Config> - stream.reassembly "segment-prealloc": 2048
24/11/2018 -- 06:42:48 - <Config> - Delayed detect disabled
24/11/2018 -- 06:42:48 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/11/2018 -- 06:42:48 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/11/2018 -- 06:42:48 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/11/2018 -- 06:42:48 - <Config> - prefilter engines: MPM
24/11/2018 -- 06:42:48 - <Config> - IP reputation disabled
24/11/2018 -- 06:42:48 - <Perf> - Registered 148 keyword profiling counters.
24/11/2018 -- 06:42:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
24/11/2018 -- 06:42:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
24/11/2018 -- 06:42:48 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
24/11/2018 -- 06:42:53 - <Config> - No rules loaded from ET-icmp.rules.
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
24/11/2018 -- 06:42:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
24/11/2018 -- 06:42:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
24/11/2018 -- 06:42:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
24/11/2018 -- 06:42:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
24/11/2018 -- 06:42:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
24/11/2018 -- 06:42:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
24/11/2018 -- 06:42:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
24/11/2018 -- 06:42:58 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
24/11/2018 -- 06:42:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
24/11/2018 -- 06:43:01 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
24/11/2018 -- 06:43:01 - <Config> - No rules loaded from local.rules.
24/11/2018 -- 06:43:01 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
24/11/2018 -- 06:43:01 - <Info> - Threshold config parsed: 0 rule(s) found
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tcp-packet
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tcp-stream
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for udp-packet
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for other-ip
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_uri
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_client_body
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_accept
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_accept_enc
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_accept_lang
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_referer
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_connection
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_method
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_raw_uri
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_user_agent
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_host
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_raw_host
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_stat_msg
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_stat_code
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for dns_query
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tls_sni
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:43:02 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:43:02 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
24/11/2018 -- 06:43:02 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/11/2018 -- 06:43:02 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
24/11/2018 -- 06:43:02 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
24/11/2018 -- 06:43:02 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
24/11/2018 -- 06:43:02 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
24/11/2018 -- 06:43:02 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
24/11/2018 -- 06:43:02 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/11/2018 -- 06:43:07 - <Perf> - Unique rule groups: 104
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toserver TCP packet": 35
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toclient TCP packet": 17
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toserver TCP stream": 33
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toclient TCP stream": 19
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toserver UDP packet": 27
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "toclient UDP packet": 17
24/11/2018 -- 06:43:07 - <Perf> - Builtin MPM "other IP packet": 3
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_uri": 14
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_header": 10
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_header": 6
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_header_names": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_protocol": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_start": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_method": 5
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver http_host": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver tls_sni": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toserver file_data": 1
24/11/2018 -- 06:43:07 - <Perf> - AppLayer MPM "toclient file_data": 7
24/11/2018 -- 06:43:09 - <Perf> - Registered 39590 rule profiling counters.
24/11/2018 -- 06:43:09 - <Info> - fast output device (regular) initialized: alert
24/11/2018 -- 06:43:09 - <Info> - eve-log output device (regular) initialized: eve.json
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'alert'
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'http'
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'dns'
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'tls'
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'files'
24/11/2018 -- 06:43:09 - <Config> - enabling 'eve-log' module 'ssh'
24/11/2018 -- 06:43:09 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/11/2018 -- 06:43:09 - <Info> - stats output device (regular) initialized: stats.log
24/11/2018 -- 06:43:09 - <Config> -

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1180 bytes) - download
1
2
3
4
5
6
7
8
2018-11-24 06:42:47,747 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-24 06:42:48,486 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-24 06:42:48,486 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-11-24 06:42:48,487 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-24 06:42:48,487 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-24 06:42:48,487 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
2018-11-24 06:43:11,279 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-24 06:43:11,280 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.5406529903