Filename: 2018-11-23-Emotet-infection-with-Gootkit.pcap
Status: Analysis complete
IDS: snort-2.9.8.0
Ruleset: sanitize-spro
Runtime: 1.00298404694 seconds
Hash: e0350bf4bf277b51967d5ff5e696872f
Uploaded: 1543354095

Logfiles


snort-report-2018-11-27-T-21-28-16-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (2511 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
lastcmd:ulimit -c unlimited; /opt/snort2980/bin/snort -c /opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fba764dbcb11899aa781cb9a7212ce1e8 -K none -k none -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -A fast
elapsedtime:0.031715
stderr:
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf"
PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules(0) Unable to open rules file "/opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules": No such file or directory.

Fatal Error, Quitting..
stdout:
returncode:
1errors:
- ERROR: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules(0) Unable to open rules file "/opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules": No such file or directory.
- Fatal Error, Quitting..
warnings:


IDSDeathBlossom.py.log - (4947 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
2018-11-27 21:28:15,997 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-27 21:28:16,774 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-27 21:28:16,774 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to snort-2.9.8.0-sanitize-spro
2018-11-27 21:28:16,774 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-27 21:28:16,775 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-27 21:28:16,775 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/snort2980/bin/snort -c /opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fba764dbcb11899aa781cb9a7212ce1e8 -K none -k none -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -A fast
2018-11-27 21:28:16,806 - WARNING - cmd_wrapper - /opt/IDSDeathBlossom/IDSDeathBlossom.py +106 - there was an error executing ulimit -c unlimited; /opt/snort2980/bin/snort -c /opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fba764dbcb11899aa781cb9a7212ce1e8 -K none -k none -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -A fast
2018-11-27 21:28:16,814 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
ERROR: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules(0) Unable to open rules file "/opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules": No such file or directory.
2018-11-27 21:28:16,815 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +504 - parse_ids_out: rule error found in stderr
file: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules (line 0)
2018-11-27 21:28:16,815 - INFO - parse_ids_out - /opt/IDSDeathBlossom/IDSDeathBlossom.py +479 - parse_ids_out: Error found in stderr
Fatal Error, Quitting..
2018-11-27 21:28:16,815 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +442 - snort ran with errors
2018-11-27 21:28:16,815 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +449 - mode:snort; lastcmd:ulimit -c unlimited; /opt/snort2980/bin/snort -c /opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fba764dbcb11899aa781cb9a7212ce1e8 -K none -k none -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -A fast; returncode:1; elapsed:0.031715; Errors:
- ERROR: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules(0) Unable to open rules file "/opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules": No such file or directory.
- Fatal Error, Quitting..

 Warnings:
None
 stderr:
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/opt/snort2980/etc/sanitize/snort2980-sanitize-spro.conf"
PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules(0) Unable to open rules file "/opt/snort2980/etc/sanitize//opt/snort2980/etc/sanitize/spro/all.rules": No such file or directory.

Fatal Error, Quitting..

 stdout:

 
2018-11-27 21:28:16,815 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 0.825942993164