Filename: 2018-11-23-Emotet-infection-with-Gootkit.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: sanitize-spro
Runtime: 2.30829000473 seconds
Hash: e0350bf4bf277b51967d5ff5e696872f
Uploaded: 1543041557

Logfiles


suricata-4.0.0-sanitize-spro-perf.txt-2018-11-24-T-06-39-20-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (471 bytes) - download
1
2
3
4
5
  --------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:39:20. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 


packet_stats.log - (6092 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         11192          3565758      480768963     341458195       3821.6b   99.90
 IPv4      17            14         18613123      431252381     279645977          3.9b    0.10
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         11192            39318       21272547         68393        765.5m   84.18
TMM_FLOWWORKER              IPv4      17            14           102489        9157357        991947         13.9m    1.53
TMM_RECEIVEPCAPFILE         IPv4       6         11165             2532       20659338          4742         53.0m    5.82
TMM_RECEIVEPCAPFILE         IPv4      17            14             2570           8730          3163         44.3k    0.00
TMM_DECODEPCAPFILE          IPv4       6         11165             2646        4612337          6883         76.9m    8.45
TMM_DECODEPCAPFILE          IPv4      17            14             2730          18690          4297         60.2k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         11165             2798        7923579          4053         45.3m  8.03  
flow                    IPv4      17            14             2918          11162          4747         66.5k  0.01  
stream                  IPv4       6         11192             2586        8753481          8510         95.2m  16.90 
app-layer               IPv4      17            14            11394          51140         22365        313.1k  0.06  
detect                  IPv4       6         11192            18209       21238605         34676        388.1m  68.84 
detect                  IPv4      17            14            35072          62626         40818        571.5k  0.10  
tcp-prune               IPv4       6         11192             2521        1224926          3054         34.2m  6.06  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            12             3041          60686         15884        190.6k  41.99 
tls                     IPv4       6            31             2592          29671          3892        120.7k  26.58 
dns                     IPv4      17            14             4297          44881         10191        142.7k  31.43 
Proto detect            IPv4       6             4             2862           6230          4098         16.4k
Proto detect            IPv4      17            14             3809          14654          9685        135.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_JSON_DNS             IPv4      17            14            31098        9022295        906664         12.7m  74.87 
LOGGER_JSON_HTTP            IPv4       6            18            42730         227383        112739          2.0m  11.97 
LOGGER_JSON_TLS             IPv4       6            16            31091         142696         59323        949.2k  5.60  
LOGGER_JSON_FILE            IPv4       6            14            48532         211314         91568          1.3m  7.56  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           102             2726          17977          3191        325.5k  0.19  
PROF_DETECT_IPONLY          IPv4      17            14             2740           6014          3780         52.9k  0.03  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         10941             2547       10732808          4486         49.1m  29.10 
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            14             2687           9700          3461         48.5k  0.03  
PROF_DETECT_ALERT           IPv4       6         11192             2518        5617042          3532         39.5m  23.44 
PROF_DETECT_ALERT           IPv4      17            14             2530           3819          2933         41.1k  0.02  
PROF_DETECT_CLEANUP         IPv4       6         11192             2545        6894773          4082         45.7m  27.09 
PROF_DETECT_CLEANUP         IPv4      17            14             2941          17470          4617         64.7k  0.04  
PROF_DETECT_GETSGH          IPv4       6         11192             2517         385979          3015         33.8m  20.01 
PROF_DETECT_GETSGH          IPv4      17            14             5363           7480          6035         84.5k  0.05  


stats.log - (2780 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
------------------------------------------------------------------------------------
Date: 11/24/2018 -- 06:39:20 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 11179
decoder.bytes                              | Total                     | 6503078
decoder.ipv4                               | Total                     | 11179
decoder.ethernet                           | Total                     | 11179
decoder.tcp                                | Total                     | 11165
decoder.udp                                | Total                     | 14
decoder.avg_pkt_size                       | Total                     | 581
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 65
flow.udp                                   | Total                     | 7
tcp.sessions                               | Total                     | 65
tcp.syn                                    | Total                     | 135
tcp.synack                                 | Total                     | 30
tcp.rst                                    | Total                     | 26
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 3
tcp.insert_list_fail                       | Total                     | 249
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 18
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 7
app_layer.tx.dns_udp                       | Total                     | 7
flow_mgr.closed_pruned                     | Total                     | 8
flow_mgr.new_pruned                        | Total                     | 4
flow_mgr.est_pruned                        | Total                     | 2
flow.spare                                 | Total                     | 10000
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65536
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7076608


eve.json - (38572 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{"timestamp":"2018-11-23T17:45:05.447352+0000","flow_id":863549289255800,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.23.101","src_port":60374,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47151,"rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":863549289255800,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","ttl":14400,"rdata":"64.187.229.195"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":863549289255800,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns2.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":863549289255800,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns1.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.822068+0000","flow_id":1104857731760504,"pcap_cnt":164,"event_type":"http","src_ip":"10.11.23.101","src_port":49463,"dest_ip":"64.187.229.195","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-23T17:45:10.769725+0000","flow_id":1104857731760504,"pcap_cnt":165,"event_type":"fileinfo","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97130},"app_proto":"http","fileinfo":{"filename":"BF_COUPON_5302.doc","gaps":false,"state":"CLOSED","stored":false,"size":97024,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.227354+0000","flow_id":1902370884253722,"pcap_cnt":169,"event_type":"dns","src_ip":"10.11.23.101","src_port":54988,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47911,"rrname":"www.atlantictoursrd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1902370884253722,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"www.atlantictoursrd.com","rrtype":"CNAME","ttl":10800,"rdata":"atlantictoursrd.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1902370884253722,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"A","ttl":10800,"rdata":"166.62.74.3"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1902370884253722,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns40.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":1902370884253722,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns39.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.480093+0000","flow_id":1969430356131995,"pcap_cnt":177,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:45:45.576387+0000","flow_id":1969430356131995,"pcap_cnt":179,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.atlantictoursrd.com\/dWUYS8Xoq\/","length":249},"app_proto":"http","fileinfo":{"filename":"\/dWUYS8Xoq","gaps":false,"state":"CLOSED","stored":false,"size":249,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.654165+0000","flow_id":1969430356131995,"pcap_cnt":348,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-23T17:47:32.195554+0000","flow_id":702077855767578,"pcap_cnt":367,"event_type":"http","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:48:30.777030+0000","flow_id":702077855767578,"pcap_cnt":369,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-11-23T17:48:31.749999+0000","flow_id":702077855767578,"pcap_cnt":376,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1129},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":1129,"tx_id":1}}
{"timestamp":"2018-11-23T17:50:24.404762+0000","flow_id":964038657985837,"pcap_cnt":409,"event_type":"http","src_ip":"10.11.23.101","src_port":49472,"dest_ip":"74.56.138.57","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"74.56.138.57","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-23T17:52:29.770133+0000","flow_id":2101041058504879,"pcap_cnt":1036,"event_type":"fileinfo","src_ip":"190.210.251.29","src_port":80,"dest_ip":"10.11.23.101","dest_port":49476,"proto":"TCP","http":{"hostname":"190.210.251.29","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":322581},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":322581,"tx_id":0}}
{"timestamp":"2018-11-23T17:51:19.537547+0000","flow_id":1969430356131995,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":104073},"app_proto":"http","fileinfo":{"filename":"ioDDLsMc.exe","gaps":false,"state":"CLOSED","stored":false,"size":135168,"tx_id":1}}
{"timestamp":"2018-11-23T17:53:57.835470+0000","flow_id":9918131488229,"pcap_cnt":1916,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:53:58.019690+0000","flow_id":9918131488229,"pcap_cnt":1918,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":501284},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":501284,"tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.042265+0000","flow_id":941006911874329,"pcap_cnt":1919,"event_type":"dns","src_ip":"10.11.23.101","src_port":51092,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19283,"rrname":"usa.usagolfcar.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":941006911874329,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"198.55.107.148"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":941006911874329,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"104.223.89.132"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":941006911874329,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns77.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":941006911874329,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns78.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.408318+0000","flow_id":9918131488229,"pcap_cnt":1927,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:54:00.235679+0000","flow_id":1098973661512140,"pcap_cnt":1929,"event_type":"tls","src_ip":"10.11.23.101","src_port":49481,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc","issuerdn":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc"}}
{"timestamp":"2018-11-23T17:54:01.415957+0000","flow_id":9918131488229,"pcap_cnt":1943,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2018-11-23T17:54:02.993418+0000","flow_id":1151434539698036,"pcap_cnt":1946,"event_type":"tls","src_ip":"10.11.23.101","src_port":49482,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld","issuerdn":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld"}}
{"timestamp":"2018-11-23T17:51:50.355387+0000","flow_id":702077855767578,"event_type":"http","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:52:05.609365+0000","flow_id":1563467915672319,"event_type":"http","src_ip":"10.11.23.101","src_port":49471,"dest_ip":"72.225.197.185","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"72.225.197.185","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-23T17:52:29.770133+0000","flow_id":243190676381492,"event_type":"http","src_ip":"10.11.23.101","src_port":49473,"dest_ip":"100.35.142.37","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"100.35.142.37","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-23T17:54:08.788391+0000","flow_id":415105346910720,"pcap_cnt":8215,"event_type":"tls","src_ip":"10.11.23.101","src_port":49483,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=PW, ST=peede, O=kokor, CN=zavab.cx\/emailAddress=mekazubo@gehe.zw","issuerdn":"C=PW, ST=peede, O=kokor, CN=zavab.cx\/emailAddress=mekazubo@gehe.zw"}}
{"timestamp":"2018-11-23T17:54:11.452975+0000","flow_id":567572391075757,"pcap_cnt":8231,"event_type":"tls","src_ip":"10.11.23.101","src_port":49484,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld","issuerdn":"C=LZ, ST=egiwoob, O=e

This file has been truncated. Go here to download in full.


keyword_perf.log - (707 bytes) - download
1
2
3
4
5
6
7
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:39:20
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 


suricata-report-2018-11-24-T-06-39-20-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (14126 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f9db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
elapsedtime:1.331684
stderr:
stdout:
24/11/2018 -- 06:39:18 - <Info> - Configuration node 'rule-files' redefined.
24/11/2018 -- 06:39:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/11/2018 -- 06:39:18 - <Info> - CPUs/cores online: 1
24/11/2018 -- 06:39:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32731 and 'request-body-inspect-window' set to 17072 after randomization.
24/11/2018 -- 06:39:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31625 and 'response-body-inspect-window' set to 17132 after randomization.
24/11/2018 -- 06:39:18 - <Config> - DNS request flood protection level: 500
24/11/2018 -- 06:39:18 - <Config> - DNS per flow memcap (state-memcap): 524288
24/11/2018 -- 06:39:18 - <Config> - DNS global memcap: 16777216
24/11/2018 -- 06:39:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/11/2018 -- 06:39:18 - <Config> - preallocated 1000 hosts of size 136
24/11/2018 -- 06:39:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:39:18 - <Config> - using magic-file /usr/share/file/magic
24/11/2018 -- 06:39:18 - <Config> - Core dump size is unlimited.
24/11/2018 -- 06:39:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/11/2018 -- 06:39:18 - <Config> - preallocated 1000 defrag trackers of size 168
24/11/2018 -- 06:39:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/11/2018 -- 06:39:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/11/2018 -- 06:39:18 - <Config> - stream "memcap": 33554432
24/11/2018 -- 06:39:18 - <Config> - stream "midstream" session pickups: disabled
24/11/2018 -- 06:39:18 - <Config> - stream "async-oneside": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "checksum-validation": disabled
24/11/2018 -- 06:39:18 - <Config> - stream."inline": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "bypass": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "max-synack-queued": 5
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "memcap": 134217728
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "depth": 0
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "toserver-chunk-size": 2656
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "toclient-chunk-size": 2657
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly.raw: enabled
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "segment-prealloc": 2048
24/11/2018 -- 06:39:18 - <Config> - Delayed detect disabled
24/11/2018 -- 06:39:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/11/2018 -- 06:39:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/11/2018 -- 06:39:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/11/2018 -- 06:39:18 - <Config> - prefilter engines: MPM
24/11/2018 -- 06:39:18 - <Config> - IP reputation disabled
24/11/2018 -- 06:39:18 - <Perf> - Registered 148 keyword profiling counters.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from all.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-botcc.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-compromised.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-drop.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-dshield.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-tor.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-ciarmy.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
24/11/2018 -- 06:39:18 - <Info> - Threshold config parsed: 0 rule(s) found
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tcp-packet
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tcp-stream
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for udp-packet
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for other-ip
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_uri
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_client_body
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept_enc
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept_lang
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_referer
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_connection
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_method
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_uri
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_user_agent
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_host
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_host
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_stat_msg
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_stat_code
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dns_query
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_sni
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:39:18 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
24/11/2018 -- 06:39:18 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/11/2018 -- 06:39:18 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - Unique rule groups: 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver TCP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient TCP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver TCP stream": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient TCP stream": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver UDP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient UDP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "other IP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Registered 0 rule profiling counters.
24/11/2018 -- 06:39:18 - <Info> - fast output device (regular) initialized: alert
24/11/2018 -- 06:39:18 - <Info> - eve-log output device (regular) initialized: eve.json
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'alert'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'http'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'dns'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'tls'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'files'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'ssh'
24/11/2018 -- 06:39:18 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/11/2018 -- 06:39:18 - <Info> - stats output device (regular) initialized: stats.log
24/11/2018 -- 06:39:18 - <Config> - AutoFP mode using "Hash" flow load balancer
24/11/2018 -- 06:39:18 - <Info> - reading pcap file /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap
24/11/2018 -- 06:39:18 - <Config> - using 1 flow manager threads
24/11/2018 -- 06:39:18 - <Config> - using 1 flow recycler threads
24/11/2018 -- 06:39:18 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
24/11/2018 -- 06:39:18 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used
24/11/2018 -- 06:39:19 - <Info> - pcap file end of file reached (pcap err code 0)
24/11/2018 -- 06:39:19 - <Notice> - Signal Received.  Stopping engine.
24/11/2018 -- 06:39:19 - <Perf> - 0 new flows, 0 established flows were timed out, 0 flows in closed state
24/11/2018 -- 06:39:19 - <Info> - time elapsed 0.518s
24/11/2018 -- 06:39:20 - <Perf> - 72 flows processed
24/11/2018 -- 06:39:20 - <Notice> - Pcap-file module read 11179 packets, 6503078 bytes
24/11/2018 -- 06:39:20 - <Perf> - AutoFP - Total flow handler queues - 1
24/11/2018 -- 06:39:20 - <Info> - Alerts: 0
24/11/2018 -- 06:39:20 - <Perf> - ippair memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:39:20 - <Perf> - Done dumping profiling data.
24/11/2018 -- 06:39:20 - <Perf> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:39:20 - <Perf> - Dumping profiling data for 0 rules.
24/11/2018 -- 06:39:20 - <Perf> - Done dumping profiling data.
24/11/2018 -- 06:39:20 - <Perf> - Done dumping keyword profiling data.
24/11/2018 -- 06:39:20 - <Info> - cleaning up signature grouping structure... complete
returncode:
0errors:
warnings:
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!


IDSDeathBlossom.py.log - (17747 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
2018-11-24 06:39:17,890 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-24 06:39:18,681 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-24 06:39:18,681 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-sanitize-spro
2018-11-24 06:39:18,682 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-24 06:39:18,682 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-24 06:39:18,682 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f9db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
2018-11-24 06:39:20,023 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
2018-11-24 06:39:20,023 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
2018-11-24 06:39:20,024 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
2018-11-24 06:39:20,024 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
2018-11-24 06:39:20,024 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
2018-11-24 06:39:20,024 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
2018-11-24 06:39:20,025 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
2018-11-24 06:39:20,025 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +516 - parse_ids_out: Warning found in stdout
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
2018-11-24 06:39:20,026 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-24 06:39:20,026 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +437 - mode:suricata; lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/sanitize/suricata400-sanitize-spro.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872f9db70b08ae3e63a42dedc6a201d72793 -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none; returncode:0; elapsed:1.331684; Errors:
None
 Warnings:
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
- 24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!

 stderr:

 stdout:
24/11/2018 -- 06:39:18 - <Info> - Configuration node 'rule-files' redefined.
24/11/2018 -- 06:39:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/11/2018 -- 06:39:18 - <Info> - CPUs/cores online: 1
24/11/2018 -- 06:39:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32731 and 'request-body-inspect-window' set to 17072 after randomization.
24/11/2018 -- 06:39:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31625 and 'response-body-inspect-window' set to 17132 after randomization.
24/11/2018 -- 06:39:18 - <Config> - DNS request flood protection level: 500
24/11/2018 -- 06:39:18 - <Config> - DNS per flow memcap (state-memcap): 524288
24/11/2018 -- 06:39:18 - <Config> - DNS global memcap: 16777216
24/11/2018 -- 06:39:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/11/2018 -- 06:39:18 - <Config> - preallocated 1000 hosts of size 136
24/11/2018 -- 06:39:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:39:18 - <Config> - using magic-file /usr/share/file/magic
24/11/2018 -- 06:39:18 - <Config> - Core dump size is unlimited.
24/11/2018 -- 06:39:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/11/2018 -- 06:39:18 - <Config> - preallocated 1000 defrag trackers of size 168
24/11/2018 -- 06:39:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/11/2018 -- 06:39:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/11/2018 -- 06:39:18 - <Config> - stream "memcap": 33554432
24/11/2018 -- 06:39:18 - <Config> - stream "midstream" session pickups: disabled
24/11/2018 -- 06:39:18 - <Config> - stream "async-oneside": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "checksum-validation": disabled
24/11/2018 -- 06:39:18 - <Config> - stream."inline": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "bypass": disabled
24/11/2018 -- 06:39:18 - <Config> - stream "max-synack-queued": 5
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "memcap": 134217728
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "depth": 0
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "toserver-chunk-size": 2656
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "toclient-chunk-size": 2657
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly.raw: enabled
24/11/2018 -- 06:39:18 - <Config> - stream.reassembly "segment-prealloc": 2048
24/11/2018 -- 06:39:18 - <Config> - Delayed detect disabled
24/11/2018 -- 06:39:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/11/2018 -- 06:39:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/11/2018 -- 06:39:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/11/2018 -- 06:39:18 - <Config> - prefilter engines: MPM
24/11/2018 -- 06:39:18 - <Config> - IP reputation disabled
24/11/2018 -- 06:39:18 - <Perf> - Registered 148 keyword profiling counters.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/all.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from all.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-botcc.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-botcc.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-compromised.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-compromised.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-drop.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-drop.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-dshield.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-dshield.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-tor.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-tor.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/suricata400/etc/sanitize/spro/emerging-ciarmy.rules
24/11/2018 -- 06:39:18 - <Config> - No rules loaded from emerging-ciarmy.rules.
24/11/2018 -- 06:39:18 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 7 rule files specified, but no rule was loaded at all!
24/11/2018 -- 06:39:18 - <Info> - Threshold config parsed: 0 rule(s) found
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tcp-packet
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tcp-stream
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for udp-packet
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for other-ip
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_uri
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_client_body
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept_enc
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_accept_lang
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_referer
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_connection
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_method
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_uri
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_user_agent
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_host
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_raw_host
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_stat_msg
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_stat_code
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dns_query
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_sni
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:39:18 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:39:18 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
24/11/2018 -- 06:39:18 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/11/2018 -- 06:39:18 - <Perf> - TCP toserver: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - TCP toclient: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - UDP toserver: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - UDP toclient: 0 port groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies
24/11/2018 -- 06:39:18 - <Perf> - Unique rule groups: 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver TCP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient TCP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver TCP stream": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient TCP stream": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toserver UDP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "toclient UDP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Builtin MPM "other IP packet": 0
24/11/2018 -- 06:39:18 - <Perf> - Registered 0 rule profiling counters.
24/11/2018 -- 06:39:18 - <Info> - fast output device (regular) initialized: alert
24/11/2018 -- 06:39:18 - <Info> - eve-log output device (regular) initialized: eve.json
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'alert'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'http'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'dns'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'tls'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'files'
24/11/2018 -- 06:39:18 - <Config> - enabling 'eve-log' module 'ssh'
24/11/2018 -- 06:39:18 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/11/2018 -- 06:39:18 - <Info> - stats output device (regular) initialized: stats.log
24/11/2018 -- 06:39:18 - <Config> - AutoFP mode using "Hash" flow load balancer
24/11/2018 -- 06:39:18 - <Info> - reading pcap file /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap
24/11/2018 -- 06:39:18 - <Config> - using 1 flow manager threads
24/11/2018 -- 06:39:18 - <Config> - using 1 flow recycler threads
24/11/2018 -- 06:39:18 - <Notice> - all 2 packet processing threads, 4 management threads initial

This file has been truncated. Go here to download in full.