Filename: 2018-11-23-Emotet-infection-with-Gootkit.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etopen-all
Runtime: 29.7954721451 seconds
Hash: e0350bf4bf277b51967d5ff5e696872f
Uploaded: 1543041771

Logfiles


packet_stats.log - (12900 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6         11196            95798     1272010318     914473461      10238.4b   99.90
 IPv4      17            14         10518988     1064315836     741735927         10.4b    0.10
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6         11196            65851       15593836        141289          1.6b   92.25
TMM_FLOWWORKER              IPv4      17            14           358689         973075        504627          7.1m    0.41
TMM_RECEIVEPCAPFILE         IPv4       6         11165             2534       20509214          5117         57.1m    3.33
TMM_RECEIVEPCAPFILE         IPv4      17            14             2571           4929          2911         40.8k    0.00
TMM_DECODEPCAPFILE          IPv4       6         11165             2649        4572492          6136         68.5m    4.00
TMM_DECODEPCAPFILE          IPv4      17            14             2849          11587          4011         56.2k    0.00

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6         11165             2789         168161          3265         36.5m  2.58  
flow                    IPv4      17            14             3118          15774          4856         68.0k  0.00  
stream                  IPv4       6         11196             2579        3435196          7315         81.9m  5.80  
app-layer               IPv4      17            14            12591          62948         22058        308.8k  0.02  
detect                  IPv4       6         11196            44594       15553860        111774          1.3b  88.56 
detect                  IPv4      17            14           259060         448833        325067          4.6m  0.32  
tcp-prune               IPv4       6         11196             2522        5545498          3432         38.4m  2.72  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            12             3291          61475         18391        220.7k  52.14 
tls                     IPv4       6            31             2615           4590          3143         97.5k  23.02 
dns                     IPv4      17            14             5102           9998          7509        105.1k  24.84 
Proto detect            IPv4       6             5             3380           7122          4443         22.2k
Proto detect            IPv4      17            14             4859          32987         12244        171.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             3            41317         105050         74199        222.6k  2.98  
LOGGER_UNIFIED2             IPv4       6             3            46876         128547         94629        283.9k  3.81  
LOGGER_JSON_ALERT           IPv4       6             3            65562         123610         96073        288.2k  3.86  
LOGGER_JSON_DNS             IPv4      17            14            62576         442168        135941          1.9m  25.52 
LOGGER_JSON_HTTP            IPv4       6            18            60635         229217        118337          2.1m  28.56 
LOGGER_JSON_TLS             IPv4       6            16            36841         140308         73323          1.2m  15.73 
LOGGER_JSON_FILE            IPv4       6            14            55550         224967        104019          1.5m  19.53 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1676             2562        4756550         21386        35.8m  12.97 
payload                           IPv4      17            14            11948          63214         30296       424.1k  0.15  
stream                            IPv4       6          1676             2537        6060791         32097        53.8m  19.46 
http_uri                          IPv4       6            18             3496          29900          7275       131.0k  0.05  
http_request_line                 IPv4       6            18             4503           8250          6379       114.8k  0.04  
http_client_body                  IPv4       6            18             2958           4113          3389        61.0k  0.02  
http_header (request)             IPv4       6            18            27662         103780         66397         1.2m  0.43  
http_header (request trailer)     IPv4       6            18             2590           2951          2658        47.8k  0.02  
http_header_names (request)       IPv4       6            18             8176          24084         16932       304.8k  0.11  
http_accept (request)             IPv4       6            18             3096           7585          3898        70.2k  0.03  
http_referer (request)            IPv4       6            18             2801          31425          4805        86.5k  0.03  
http_content_len (request)        IPv4       6            18             2923           4187          3456        62.2k  0.02  
http_content_type (request)       IPv4       6            18             2940           4380          3527        63.5k  0.02  
http_start (request)              IPv4       6            18             7283          29242         14128       254.3k  0.09  
http_raw_header (request)         IPv4       6            18             9942          38400         16298       293.4k  0.11  
http_method                       IPv4       6            18             3429          23189          5407        97.3k  0.04  
http_cookie (request)             IPv4       6            18             2901          53464         13778       248.0k  0.09  
http_raw_uri                      IPv4       6            18             2642           6585          3620        65.2k  0.02  
http_user_agent                   IPv4       6            18            14840          56299         36449       656.1k  0.24  
http_host                         IPv4       6            18             3594          11339          5391        97.0k  0.04  
dns_query                         IPv4      17             7             6660          48504         15311       107.2k  0.04  
tls_sni                           IPv4       6            16             3767          20780          7475       119.6k  0.04  
http_response_line                IPv4       6            14             5137           9811          7848       109.9k  0.04  
http_header (response)            IPv4       6            14            18772          54607         33961       475.5k  0.17  
http_header (response trailer)    IPv4       6            12             2630          72904         13552       162.6k  0.06  
http_content_type (response)      IPv4       6            14             3877          18870          7122        99.7k  0.04  
http_raw_header (response)        IPv4       6          1484             3465        5866229          8570        12.7m  4.60  
http_cookie (response)            IPv4       6            14             2869           3800          3234        45.3k  0.02  
http_stat_code                    IPv4       6            14             3218           5109          4295        60.1k  0.02  
tls_cert_issuer                   IPv4       6            16             3905          22603          6979       111.7k  0.04  
tls_cert_subject                  IPv4       6            16             4220           7902          6162        98.6k  0.04  
tls_cert_serial                   IPv4       6            16             3482           7345          5114        81.8k  0.03  
file_data (http response)         IPv4       6          1484             2567       14855070        113434       168.3m  60.89 
Total                             IPv4                  6793                                         40695       276.4m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           102             3381          65823         22519          2.3m  0.16  
PROF_DETECT_IPONLY          IPv4      17            14            18804          47248         29075        407.1k  0.03  
PROF_DETECT_RULES           IPv4       6         11196             2525       12802711         22410        250.9m  17.87 
PROF_DETECT_RULES           IPv4      17            14           136745         232809        172728          2.4m  0.17  
PROF_DETECT_STATEFUL_START    IPv4       6          2089             5101        6207793         34009         71.0m  5.06  
PROF_DETECT_STATEFUL_CONT    IPv4       6         11196             2510          87626          4442         49.7m  3.54  
PROF_DETECT_STATEFUL_CONT    IPv4      17            14             3698          24334          5556         77.8k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6         10945             2540         124275          2780         30.4m  2.17  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            14             2694           3537          2933         41.1k  0.00  
PROF_DETECT_PREFILTER       IPv4       6         11196             7793       14974757         43370        485.6m  34.58 
PROF_DETECT_PREFILTER       IPv4      17            14            49243         110033         67079        939.1k  0.07  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1676            13920        6086098         61664        103.3m  7.36  
PROF_DETECT_PF_PAYLOAD      IPv4      17            14            17258          68503         35596        498.4k  0.04  
PROF_DETECT_PF_TX           IPv4       6         10945             2546       14871512         21956        240.3m  17.11 
PROF_DETECT_PF_TX           IPv4      17             7            12204          55386         21346        149.4k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1246             2521          73532          3209          4.0m  0.28  
PROF_DETECT_PF_SORT1        IPv4      17            14             3196           4306          3959         55.4k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6         11196             2511          61848          2784         31.2m  2.22  
PROF_DETECT_PF_SORT2        IPv4      17            14             3192           4387          3541         49.6k  0.00  
PROF_DETECT_NONMPMLIST      IPv4       6         11196             2521          70964          2975         33.3m  2.37  
PROF_DETECT_NONMPMLIST      IPv4      17            14             2794           4098          3319         46.5k  0.00  
PROF_DETECT_ALERT           IPv4       6         11196             2518          72568          2789         31.2m  2.22  
PROF_DETECT_ALERT           IPv4      17            14             2531           4082          3049         42.7k  0.00  
PROF_DETECT_CLEANUP         IPv4       6         11196             2548         108216          2849         31.9m  2.27  
PROF_DETECT_CLEANUP         IPv4      17            14             2987           4977          3711         52.0k  0.00  
PROF_DETECT_GETSGH          IPv4       6         11196             2516          69881          3039         34.0m  2.42  
PROF_DETECT_GETSGH          IPv4      17            14             5483           7101          5912         82.8k  0.01  


unified2.alert.1543041798 - (19592 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
4[ø<¡µ”Ñ!@»åÃ
ePÁ7Z[ø<¡[ø<¡µ”>E0mÚ@»åÃ
ePÁ7P„+̾q=v.drs/e2oDoc.xmlPK-!XG]Cà—drs/downrev.xmlPKó¤ðð
ððH
ðcð$®ê¿Ëÿ	?ð©
`úÿÿtúÿÿtúÿÿˆúÿÿt]pž¡¬®¿ÂËÎÔÖöøVXÈÖ	 "/9;EÔÝâôM	^	q	t	±	µ	Æ	¥
§
ª
¥
§
ª

å·^ù5ÎG-Ñj5p;án^=ª‰JÚwèJVÿÿVÿÿÿÿProject.wpdEzDp.AutoOpenPROJECT.WPDEZDP.AUTOOPEN@€©
@ÿÿUnknownÿÿÿÿÿÿÿÿÿÿÿÿGÿ*àAxÀ	ÿTimes New Roman5€Symbol3.ÿ*àCxÀ	ÿArial7.ÿáÿ¬@	ŸCalibri5&Ìÿ.á[`À)ÿTahomaC.,ï { @ŸZ[ø<¡[ø<¡µ”>E0mÚ@»åÃ
ePÁ7PŽCalibri LightACambria Math"1ˆðÐh̼k§Ì¼k§
—	!ð  ´´0¢
NáðüýÈP	ðÿ$Päÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿán^¶!xx ÑÈíIÜÿÿþÿ4[ø<¡¼Ñý@»åÃ
ePÁ7Z[ø<¡[ø<¡¼>E0mÚ@»åÃ
ePÁ7P¡fZ[ø<¡[ø<¡¼>E0mÚ@»åÃ
ePÁ7P¾ï	
þÿÿÿ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEþÿÿÿGHIJKLMNOPQRSTUVWXYþÿÿÿ[\]^_`aþÿÿÿcdefghiþÿÿÿýÿÿÿlmœþÿÿÿpqrstuv‚ýÿÿÿyz{|}~€Root Entryÿÿÿÿÿÿÿÿ	ÀFp±ºKGƒÔŒ@Data
ÿÿÿÿÿÿÿÿÿÿÿÿ
Ãq1TableZ[ø<¡[ø<¡¼>E0mÚ@»åÃ
ePÁ7PÒåÿÿÿÿÿÿÿÿFE&WordDocumentÿÿÿÿ.SummaryInformation(ÿÿÿÿÿÿÿÿÿÿÿÿZDocumentSummaryInformation
1f40
8ÿÿÿÿÿÿÿÿbMacrosÐOžKGƒÔp@¸KGƒÔVBAÿÿÿÿÿÿÿÿ	ÐOžKGƒÔpϵKGƒÔwpdEzDp
ÿÿÿÿxp7__SRP_2
ÿÿÿÿ$__SRP_3ÿÿÿÿÿÿÿÿg_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿ“/þÿÿÿþÿÿÿ	

þÿ4[ø<ÉâΏ!¦>J
ePÁ9Z[ø<É[ø<Éâ>E0¤¦>J
ePÁ9PZÿãå6Yåa…ý¦é¹‹^ÇÓÝäõóÏԟŠ?¡ðá+óè0GF€ã±²4ÓâQF½´!WఓS^¥ìi<:lÄXâôN³ÖÈgØÔf²ÆiÓ$aæ4£¥`Bh.¸AC¹9ý՛66Ò֏Íôå4%á_±bj.ûU^ïÖ$Üjf,Ü°ãœRÝðõ°	*lzýnú%Ï7ËèÜl£(?Û	"¡3ÝöÞ¥@CeljqO¸YÄl“QV„¼8*°QÅ>¸gkwIø|=Éþz¥ÿÛ3üW5œ®WØ24y´ô‘‘½,7ƒcOš×å~Qq‹O¥ÓÄó9ÄN~·‰xVÏ+'«J½¼f*¯¥ÇAb÷
®²5|«[³Ç
¬CÛ7«â0…éÓú/oH:µ´›ÈøÓ|ØA¥‘?´Ø_xæ»çÈêôí÷|l`¡½¦ø­TÒCµIë†ké§æ»Û6¨ÎNŠèyÚð”ØéMÑwXœ°UÿCæ-;Ã3™[a†üù„%ߒwI-Ey¹ 'EÔåÈÓHŸ·|3ôFËHÜq‚Ú-ŒH .ö©7óVawÖã/Ó\Ä3lšÒä&°˜S¸e)j¤þ´ËíPC(-Æ_<
»ýnÄ'Ü¥zJEò»=‡[a»Ê›\s;PZŽ®™åœÖ%’»ßë±éF ,jÄ ÎÉÚ×[Ôe‚ÂâÎaT~Ռ¢Xô¦;ÒN¡¼\ò“TÐǃsv€ã›(¬  v—dÓ|©Š†/™´/<ŽkQó£Ö·-ï!Ú{u낒ö,ùb߁ŽÑNì{¦m%‡Ëp%°—LYså¼yŊBF©¬‚±Fr{iÏ[NgX{—ÎR‘9ÕKÎJŽ†P0nlÔ¥’ǶóU:ÌÉ(§´Ÿ|’­¿ž¯á}ùä×ó5‹|¸güóØGpÏ<¼°:n0^JS؄ªh ?×jJ¢›g-G–¬V„–8¡Ý©µ®
¼Ã¦†ªMÚ«––Uˬ|Uí+¡—x”s>1%4oV||í=ÛC^v<ˆ´$2ú¨_ЧgüÒ¤ÌÂSÇw´ž\ekìá$¼À†0/uø©\¯X/ªÔtå]‡~¤d3ôdÐæ…Öý:„¾yx~ÃÑtª"CŸa¡nôÅúÄIÎ"·2ú4̯W~EŠjé}LVÿ•îùô$ÐÐÁüÒ)·€Ý¶÷y¾W«7Hp³ ôÖ}÷‘Tl"ö4ög†RúÁl“ñØPõŽ¬–žëÇÏΠt”°^í@Zj|£_ì5;žÇ<fˆèñ[ÙãKå¼ßM
±æûuý›]˜ÈkÒª”cïÅQzÛ5#å¢SÙ2ñ$9ˆ¤£…>å蕲ƒý
Ùñ}ÝÇpVÍ„óK_Éaù,«XažÚk“kžâg.ÿ<Š8ÈÞÛ	de¤çÇÃwÔ«øtÙ:ˆÑ›­<Fen6ê­uzt9Kº	Ø,hokà#Í“Á.^

îþÇ ê‘ôI;~-”êíÄ]œ~ùU>ݦ¥<¬VIÌo0ˆqK\ôåÉå&ºúçgø9¾Í)«s
šßéŒÎ¥"ꟶsÓêzÓàݳùø¤äÖÕåó™2Ì~ÜßLSjåÄ/\]M
–½Vaõ‚Ò͌µª¿T zNy‹üÓN±ê	8A¯œÃŠÙhH÷©4»¾}èlÏíï9\Ðp›»ç*A†>~!äCZ[ø<É[ø<Éâ>E0¤¦>J
ePÁ9P­jOÌØUº¯%“¶¥LÔx¶
«º¼U¬¼\îR·ALЊHžç/Eöú\*²Ÿ‘}Jßåî¹B`¥÷¯ÒßLâ;æUŸ„}ÙÖò8w§¸3#8€Á†>§Í +Xýå‡Ã>|KaëöÇqrÌ¡9–W¹ëMËμäэRi©xf5ˆå@·}“jç+ŽÓFSù¥ü@0ܟضOBJ…Ì.|¥£oïK^zfuô·Ïă­Û¿álK3áü;eÌOÅJÊ¡¶<ëÄÌv¯aù|*ÏoÒ¾qºLéaݲ‚ÝBv²Qdu¢%ÕcšÝ¯IÌXztœ“U—« ,ėN5Y­)ô'ò¦fÿÒ¿ÞRkgq€Íó¥A¬¬`Ûe0
†>}sÄ·µonúçX¡ã›¡5`Ãd¾˜Ãr‚ˆ&I7qwYT]—š¸=@S7pgͽ—£œ	9Y
½ôõaêQßIzë¤6`šV‹Óî=ÞüðêEwŠÎ"%õqâŠÆ$5W d8Q½µq©Òx‹qJ«ɗJ
F¨ˆ	¤&™ãÔpÞz5\¢ÊxßG‰êèà9ݺ³íیØ.išò\Tãu?y¯§rpgž—Òºøé^36²§*RÆAà’LS˜b¯&Vª¼½û@!cŽ¡ÇCöä&]ÕâŠíãÓ9ZÄ4œCÙ£áó%û3qÓK`©¬³Ù6Æ~áï8ú_®{A¡Ç!geʞÝ#çU …æÜ$‹Ø¯àõjó+Àbxzäò÷ŸxÌð*-V¤¤è?Ïp#OYfˆTzéà¾VBÛx4Ò£«]ðÎß[ïó³."ìSt{9;¸›É_Ï_Aé·¼d©Ú Lï NTñ…ô¤^½ÁZ®Qw¢b‹|„Ø[âøԂ¤«÷éòñ€Òs얩WóyXª¬…HÊÄQλGNýc`ÝÄR{{”˜ ·§ÎÙÉ	žõJ‰b÷Li5Ì_v¾¬4]t”SS7™™bÊ^ÒXaGü€£ëÎfJu-% LÔO^Òtbr€o(r»5s®‰ùffÂ.Ü֕ !hD£ô£ø#{©mKÙûÎOª,	³Ã›{õ€QiáƇ\?ÉÕ¼X¡û× G¨5¢r€èú+àŠÒnµˆ¡l¶U”ˆO‘™Êe…Øi5	Xwò>U}åÍ{_ÁLΙìaÃi=‰|©±ûí¢ß½èHžQWžJ#}¨tWz´7à1]~{m&HLôEF	±bW•nl՝ép‰Ä=êI÷í|ͪðp±¯|‡nø×TÒòËãq
ÚÉ­»£}Hw§Ã)廯;)ž š´Y¡%¯™	­PӃj>üΏú³×Œx°Íݳ‡XÝëÕÙ1™9^©;ÅÍLï©üÜÃ]Xc3t¹K=Û´•2÷¢iÙó9ÛÇ(Ló©ë=fƒewʬ¸ôŸÏ§î¦Ýã
Mp&ð¬èŽ¾¶¸û#<9’æ9ºÏϋJ¡Û©ƒkܖ£V0Æ¥ÕNe:ìsxœPðYyĔÊڜk®æÇýjäržŽÙÛÊnOtýDäŽ=c‰"uöEM“ƒ›èoöΪü¹3¢c^ý¼†e+>cÏ;¬bÔ³Ÿš·œ™õ.ýÐ9}6@f,RŒP¾Á$`Z[ø<É[ø<Éâ>E0¤¦>J
ePÁ9PÉLJ‚C(yjAg{½Ñï;š*";'|Ô~ÝB¤cESüB*0ªÀEm7”wg¨PE’PI}IÛ$ V˜†$u7êVKmd4ã…Óq¥²W¦ÝFÈTD¤_YËF`ý±“ žíֆ)ºÞª?‹‘¬ÑMº˜æÛ²qŒÔm§Ž Õø“î0k”lڗ…̇DŽ	ë{–e)ÕºÏ?	À-YØ1OJ#ì½iΦÓ
V´¤CnúknÒ®Ý(L5Ad¾áõwچs>¹¼ÇŒF°dFYJ£~x_¼ÿùӋâ(åª%â•Aړué’Gfø­‡;ü á9WÊw“?âLý£#7†8ØËDy̚>ñFÓuq£ðãwL÷ý8?²ÀɃ®¡IÅÇ#y$»¯)RPÕj…ÌmþL"zY‡a¢¸âôù„3ÜŒÇԌ؛ºҔKú_MK7\=,t5Ô){PNÈÒ{]ÛDQˆô^MHéϟ±PBÆÅ¡s>­k*#«°/J*0št¹%Ô`Sîы5R
M¾ S†´I‰Ü‘éåÕ±²u°E gí|lzyø"£A“[	ÈßO‰Ùññ¸0:ð%ˆ—³z3å%	pàßnÌ»v¿°¤Ñ°q¿ÌŽJâ·Þp&•ðu:a‹ÈÞJfÿ^3–L|÷`%piÌN?>Å3·ZÕù$*K™ó\|_O´¡^ÁArþdÒI%Ÿ^³íŽûÍf[oHdøÝx–úR¾*äò¯:G¤Š…m%_l…½J#ù¸Ê²K'UµK©°šDÙáݯE:×ܬe^ï;­*¹÷O„ëVñ»¦õå³ÑxfKzˆÈÅĜҏ\mژ€¤v¿¡Ã$Eòh!»Mì’hšB¶»|lÔ²PnïuÙÉ‚ò–…1#A«IÍs|É*º¬ìñÆeÀš›~9¼Þòvv¸zWf²~Ý¡Ý^ˆï¦yzhSŽdCdâÈzÓBäV"Z-7›}ƒ•ÉچóÛٟ™½4@KÂ	iº_*ƒš?Y½¸çdgÕ,òQv¯™Æ„~ùë4^Kɧ±|YP'"Ձ£do¡Ö£8/ÜٚJS¤~Ê£}ÚÈñ>Uᇿ§*ö)ÐCè׋傛AjáÁꈐggÚo¼’o” úŠ"§m֍‚§¶» ‰Æs(œžV^@ìš\ÿæk­Ã¢L‚+Ĝ3Íγ,ßD÷pá}ÎjM¢bºúK,=”no×~˜¥èö	‰M‡;åyѼ_%ú%:Drõri/õ~ä³rè	øá¸nRL ÒͲŠwfä,Ut B!¡8|Ý}Þ~Jk…½ê@ç=qË„ƳU¥ ,ÜøÚ4ˆšÂÅ:9ãA^s|`ð[LÚÖÉv]R²oÛfôԉÝ	õT’Oì¨k‡#]m«‹¨zًWa2ø$鉯5C.XéZ†	ñ™.+2KگƇ[ҟ‘‘~Քvr¦iÕ§›e¡\Þ:ÀögÃaýÖÇ9•æ؈Qù>ú•Ô׊3ÍEƒ.-V‡¥Ç@´©@v˜Ðý†êÉB>pºlßCž¼ÁÚC9Jüqæêb§Ëen¾™±;œñwÿù«ƒÿ/Jµ¨Þ¸•%7âàÃM¢¦sºCv<l7‘ÍÒµ~¼Ã®¦¦ÆÞ÷b\RAúH4[ø<ÉâÚ¥¦>J
ePÁ9Z[ø<É[ø<Éâ>E0¤¦>J
ePÁ9PZÿãå6Yåa…ý¦é¹‹^ÇÓÝäõóÏԟŠ?¡ðá+óè0GF€ã±²4ÓâQF½´!WఓS^¥ìi<:lÄXâôN³ÖÈgØÔf²ÆiÓ$aæ4£¥`Bh.¸AC¹9ý՛66Ò֏Íôå4%á_±bj.ûU^ïÖ$Üjf,Ü°ãœRÝðõ°	*lzýnú%Ï7ËèÜl£(?Û	"¡3ÝöÞ¥@CeljqO¸YÄl“QV„¼8*°QÅ>¸gkwIø|=Éþz¥ÿÛ3üW5œ®WØ24y´ô‘‘½,7ƒcOš×å~Qq‹O¥ÓÄó9ÄN~·‰xVÏ+'«J½¼f*¯¥ÇAb÷
®²5|«[³Ç
¬CÛ7«â0…éÓú/oH:µ´›ÈøÓ|ØA¥‘?´Ø_xæ»çÈêôí÷|l`¡½¦ø­TÒCµIë†ké§æ»Û6¨ÎNŠèyÚð”ØéMÑwXœ°UÿCæ-;Ã3™[a†üù„%ߒwI-Ey¹ 'EÔåÈÓHŸ·|3ôFËHÜq‚Ú-ŒH .ö©7óVawÖã/Ó\Ä3lšÒä&°˜S¸e)j¤þ´ËíPC(-Æ_<
»ýnÄ'Ü¥zJEò»=‡[a»Ê›\s;PZŽ®™åœÖ%’»ßë±éF ,jÄ ÎÉÚ×[Ôe‚ÂâÎaT~Ռ¢Xô¦;ÒN¡¼\ò“TÐǃsv€ã›(¬  v—dÓ|©Š†/™´/<ŽkQó£Ö·-ï!Ú{u낒ö,ùb߁ŽÑNì{¦m%‡Ëp%°—LYså¼yŊBF©¬‚±Fr{iÏ[NgX{—ÎR‘9ÕKÎJŽ†P0nlÔ¥’ǶóU:ÌÉ(§´Ÿ|’­¿ž¯á}ùä×ó5‹|¸güóØGpÏ<¼°:n0^JS؄ªh ?×jJ¢›g-G–¬V„–8¡Ý©µ®
¼Ã¦†ªMÚ«––Uˬ|Uí+¡—x”s>1%4oV||í=ÛC^v<ˆ´$2ú¨_ЧgüÒ¤ÌÂSÇw´ž\ekìá$¼À†0/uø©\¯X/ªÔtå]‡~¤d3ôdÐæ…Öý:„¾yx~ÃÑtª"CŸa¡nôÅúÄIÎ"·2ú4̯W~EŠjé}LVÿ•îùô$ÐÐÁüÒ)·€Ý¶÷y¾W«7Hp³ ôÖ}÷‘Tl"ö4ög†RúÁl“ñØPõŽ¬–žëÇÏΠt”°^í@Zj|£_ì5;žÇ<fˆèñ[ÙãKå¼ßM
±æûuý›]˜ÈkÒª”cïÅQzÛ5#å¢SÙ2ñ$9ˆ¤£…>å蕲ƒý
Ùñ}ÝÇpVÍ„óK_Éaù,«XažÚk“kžâg.ÿ<Š8ÈÞÛ	de¤çÇÃwÔ«øtÙ:ˆÑ›­<Fen6ê­uzt9Kº	Ø,hokà#Í“Á.^

îþÇ ê‘ôI;~-”êíÄ]œ~ùU>ݦ¥<¬VIÌo0ˆqK\ôåÉå&ºúçgø9¾Í)«s
šßéŒÎ¥"ꟶsÓêzÓàݳùø¤äÖÕåó™2Ì~ÜßLSjåÄ/\]M
–½Vaõ‚Ò͌µª¿T zNy‹üÓN±ê	8A¯œÃŠÙhH÷©4»¾}èlÏíï9\Ðp›»ç*A†>~!äCZ[ø<É[ø<Éâ>E0¤¦>J
ePÁ9P­jOÌØUº¯%“¶¥LÔx¶
«º¼U¬¼\îR·ALЊHžç/Eöú\*²Ÿ‘}Jßåî¹B`¥÷¯ÒßLâ;æUŸ„}ÙÖò8w§¸3#8€Á†>§Í +Xýå‡Ã>|KaëöÇqrÌ¡9–W¹ëMËμäэRi©xf5ˆå@·}“jç+ŽÓFSù¥ü@0ܟضOBJ…Ì.|¥£oïK^zfuô·Ïă­Û¿álK3áü;eÌOÅJÊ¡¶<ëÄÌv¯aù|*ÏoÒ¾qºLéaݲ‚ÝBv²Qdu¢%ÕcšÝ¯IÌXztœ“U—« ,ėN5Y­)ô'ò¦fÿÒ¿ÞRkgq€Íó¥A¬¬`Ûe0
†>}sÄ·µonúçX¡ã›¡5`Ãd¾˜Ãr‚ˆ&I7qwYT]—š¸=@S7pgͽ—£œ	9Y
½ôõaêQßIzë¤6`šV‹Óî=ÞüðêEwŠÎ"%õqâŠÆ$5W d8Q½µq©Òx‹qJ«ɗJ
F¨ˆ	¤&™ãÔpÞz5\¢ÊxßG‰êèà9ݺ³íیØ.išò\Tãu?y¯§rpgž—Òºøé^36²§*RÆAà’LS˜b¯&Vª¼½û@!cŽ¡ÇCöä&]ÕâŠíãÓ9ZÄ4œCÙ£áó%û3qÓK`©¬³Ù6Æ~áï8ú_®{A¡Ç!geʞÝ#çU …æÜ$‹Ø¯àõjó+Àbxzäò÷ŸxÌð*-V¤¤è?Ïp#OYfˆTzéà¾VBÛx4Ò£«]ðÎß[ïó³."ìSt{9;¸›É_Ï_Aé·¼d©Ú Lï NTñ…ô¤^½ÁZ®Qw¢b‹|„Ø[âøԂ¤«÷éòñ€Òs얩WóyXª¬…HÊÄQλGNýc`ÝÄR{{”˜ ·§ÎÙÉ	žõJ‰b÷Li5Ì_v¾¬4]t”SS7™™bÊ^ÒXaGü€£ëÎfJu-% LÔO^Òtbr€o(r»5s®‰ùffÂ.Ü֕ !hD£ô£ø#{©mKÙûÎOª,	³Ã›{õ€QiáƇ\?ÉÕ¼X¡û× G¨5¢r€èú+àŠÒnµˆ¡l¶U”ˆO‘™Êe…Øi5	Xwò>U}åÍ{_ÁLΙìaÃi=‰|©±ûí¢ß½èHžQWžJ#}¨tWz´7à1]~{m&HLôEF	±bW•nl՝ép‰Ä=êI÷í|ͪðp±¯|‡nø×TÒòËãq
ÚÉ­»£}Hw§Ã)廯;)ž š´Y¡%¯™	­PӃj>üΏú³×Œx°Íݳ‡XÝëÕÙ1™9^©;ÅÍLï©üÜÃ]Xc3t¹K=Û´•2÷¢iÙó9ÛÇ(Ló©ë=fƒewʬ¸ôŸÏ§î¦Ýã
Mp&ð¬èŽ¾¶¸û#<9’æ9ºÏϋJ¡Û©ƒkܖ£V0Æ¥ÕNe:ìsxœPðYyĔÊڜk®æÇýjäržŽÙÛÊnOtýDäŽ=c‰"uöEM“ƒ›èoöΪü¹3¢c^ý¼†e+>cÏ;¬bÔ³Ÿš·œ™õ.ýÐ9}6@f,RŒP¾Á$`Z[ø<É[ø<Éâ>E0¤¦>J
ePÁ9PÉLJ‚C(yjAg{½Ñï;š*";'|Ô~ÝB¤cESüB*0ªÀEm7”wg¨PE’PI}IÛ$ V˜†$u7êVKmd4ã…Óq¥²W¦ÝFÈTD¤_YËF`ý±“ žíֆ)ºÞª?‹‘¬ÑMº˜æÛ²qŒÔm§Ž Õø“î0k”lڗ…̇DŽ	ë{–e)ÕºÏ?	À-YØ1OJ#ì½iΦÓ
V´¤CnúknÒ®Ý(L5Ad¾áõwچs>¹¼ÇŒF°dFYJ£~x_¼ÿùӋâ(åª%â•Aړué’Gfø­‡;ü á9WÊw“?âLý£#7†8ØËDy̚>ñFÓuq£ðãwL÷ý8?²ÀɃ®¡IÅÇ#y$»¯)RPÕj…ÌmþL"zY‡a¢¸âôù„3ÜŒÇԌ؛ºҔKú_MK7\=,t5Ô){PNÈÒ{]ÛDQˆô^MHéϟ±PBÆÅ¡s>­k*#«°/J*0št¹%Ô`Sîы5R
M¾ S†´I‰Ü‘éåÕ±²u°E gí|lzyø"£A“[	ÈßO‰Ùññ¸0:ð%ˆ—³z3å%	pàßnÌ»v¿°¤Ñ°q¿ÌŽJâ·Þp&•ðu:a‹ÈÞJfÿ^3–L|÷`%piÌN?>Å3·ZÕù$*K™ó\|_O´¡^ÁArþdÒI%Ÿ^³íŽûÍf[oHdøÝx–úR¾*äò¯:G¤Š…m%_l…½J#ù¸Ê²K'UµK©°šDÙáݯE:×ܬe^ï;­*¹÷O„ëVñ»¦õå³ÑxfKzˆÈÅĜҏ\mژ€¤v¿¡Ã$Eòh!»Mì’hšB¶»|lÔ²PnïuÙÉ‚ò–…1#A«IÍs|É*º¬ìñÆeÀš›~9¼Þòvv¸zWf²~Ý¡Ý^ˆï¦yzhSŽdCdâÈzÓBäV"Z-7›}ƒ•ÉچóÛٟ™½4@KÂ	iº_*ƒš?Y½¸çdgÕ,òQv¯™Æ„~ùë4^Kɧ±|YP'"Ձ£do¡Ö£8/ÜٚJS¤~Ê£}ÚÈñ>Uᇿ§*ö)ÐCè׋傛AjáÁꈐggÚo¼’o” úŠ"§m֍‚§¶» ‰Æs(œžV^@ìš\ÿæk­Ã¢L‚+Ĝ3Íγ,ßD÷pá}ÎjM¢bºúK,=”no×~˜¥èö	‰M‡;åyѼ_%ú%:Drõri/õ~ä³rè	øá¸nRL ÒͲŠwfä,Ut B!¡8|Ý}Þ~Jk…½ê@ç=qË„ƳU¥ ,ÜøÚ4ˆšÂÅ:9ãA^s|`ð[LÚÖÉv]R²oÛfôԉÝ	õT’Oì¨k‡#]m«‹¨zًWa2ø$鉯5C.XéZ†	ñ™.+2KگƇ[ҟ‘‘~Քvr¦iÕ§›e¡\Þ:ÀögÃaýÖÇ9•æ؈Qù>ú•Ô׊3ÍEƒ.-V‡¥Ç@´©@v˜Ðý†êÉB>pºlßCž¼ÁÚC9Jüqæêb§Ëen¾™±;œñwÿù«ƒÿ/Jµ¨Þ¸•%7âàÃM¢¦sºCv<l7‘ÍÒµ~¼Ã®¦¦ÆÞ÷b\RAúH4[ø<Éâ½8¦>J
ePÁ9Z[ø<É[ø<Éâ>E0¤¦>J
ePÁ9PZÿãå6Yåa…ý¦é¹‹^ÇÓÝäõóÏԟŠ?¡ðá+óè0GF€ã±²4ÓâQF½´!WఓS^¥ìi<:lÄXâôN³ÖÈgØÔf²ÆiÓ$aæ4£¥`Bh.¸AC¹9ý՛66Ò֏Íôå4%á_±bj.ûU^ïÖ$Üjf,Ü°ãœRÝðõ°	*lzýnú%Ï7ËèÜl£(?Û	"¡3ÝöÞ¥@CeljqO¸YÄl“QV„¼8*°QÅ>¸gkwIø|=Éþz¥ÿÛ3üW5œ®WØ24y´ô‘‘½,7ƒcOš×å~Qq‹O¥ÓÄó9ÄN~·‰xVÏ+'«J½¼f*¯¥ÇAb÷
®²5|«[³Ç
¬CÛ7«â0…éÓú/oH:µ´›ÈøÓ|ØA¥‘?´Ø_xæ»çÈêôí÷|l`¡½¦ø­TÒCµIë†ké§æ»Û6¨ÎNŠèyÚð”ØéMÑwXœ°UÿCæ-;Ã3™[a†üù„%ߒwI-Ey¹ 'EÔåÈÓHŸ·|3ôFËHÜq‚Ú-ŒH .ö©7óVawÖã/Ó\Ä3lšÒä&°˜S¸e)j¤þ´ËíPC(-Æ_<
»ýnÄ'Ü¥zJEò»=‡[a»Ê›\s;PZŽ®™åœÖ%’»ßë±éF ,jÄ ÎÉÚ×[Ôe‚ÂâÎaT~Ռ¢Xô¦;ÒN¡¼\ò“TÐǃsv€ã›(¬  v—dÓ|©Š†/™´/<ŽkQó£Ö·-ï!Ú{u낒ö,ùb߁ŽÑNì{¦m%‡Ëp%°—LYså¼yŊBF©¬‚±Fr{iÏ[NgX{—ÎR‘9ÕKÎJŽ†P0nlÔ¥’ǶóU:ÌÉ(§´Ÿ|’­¿ž¯á}ùä×ó5‹|¸güóØGpÏ<¼°:n0^JS؄ªh ?×jJ¢›g-G–¬V„–8¡Ý©µ®
¼Ã¦†ªMÚ«––Uˬ|Uí+¡—x”s>1%4oV||í=ÛC^v<ˆ´$2ú¨_ЧgüÒ¤ÌÂSÇw´ž\ekìá$¼À†0/uø©\¯X/ªÔtå

This file has been truncated. Go here to download in full.


stats.log - (3386 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
------------------------------------------------------------------------------------
Date: 11/24/2018 -- 06:43:21 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 11179
decoder.bytes                              | Total                     | 6503078
decoder.ipv4                               | Total                     | 11179
decoder.ethernet                           | Total                     | 11179
decoder.tcp                                | Total                     | 11165
decoder.udp                                | Total                     | 14
decoder.avg_pkt_size                       | Total                     | 581
decoder.max_pkt_size                       | Total                     | 1342
flow.tcp                                   | Total                     | 65
flow.udp                                   | Total                     | 7
tcp.sessions                               | Total                     | 65
tcp.syn                                    | Total                     | 135
tcp.synack                                 | Total                     | 30
tcp.rst                                    | Total                     | 26
tcp.reassembly_gap                         | Total                     | 3
tcp.overlap                                | Total                     | 3
tcp.insert_list_fail                       | Total                     | 249
detect.alert                               | Total                     | 5
detect.nonmpm_list                         | Total                     | 2
app_layer.flow.http                        | Total                     | 10
app_layer.tx.http                          | Total                     | 18
app_layer.flow.tls                         | Total                     | 16
app_layer.flow.dns_udp                     | Total                     | 7
app_layer.tx.dns_udp                       | Total                     | 7
flow_mgr.closed_pruned                     | Total                     | 18
flow_mgr.new_pruned                        | Total                     | 29
flow_mgr.est_pruned                        | Total                     | 7
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 63
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.flows_timeout                     | Total                     | 61
flow_mgr.flows_timeout_inuse               | Total                     | 16
flow_mgr.flows_removed                     | Total                     | 45
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65473
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7092448


eve.json - (40739 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{"timestamp":"2018-11-23T17:45:05.447352+0000","flow_id":1673552203993976,"pcap_cnt":1,"event_type":"dns","src_ip":"10.11.23.101","src_port":60374,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47151,"rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1673552203993976,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"A","ttl":14400,"rdata":"64.187.229.195"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1673552203993976,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns2.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.523720+0000","flow_id":1673552203993976,"pcap_cnt":2,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":60374,"proto":"UDP","dns":{"type":"answer","id":47151,"rcode":"NOERROR","rrname":"sbpupvcwindows.blazewebtech.com","rrtype":"NS","ttl":20864,"rdata":"ns1.blazewebtech.com"}}
{"timestamp":"2018-11-23T17:45:05.767380+0000","flow_id":2143153190666616,"pcap_cnt":85,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019613,"rev":3,"signature":"ET POLICY Office Document Download Containing AutoOpen Macro","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.769051+0000","flow_id":2143153190666616,"pcap_cnt":101,"event_type":"alert","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:05.821936+0000","flow_id":2143153190666616,"pcap_cnt":163,"event_type":"http","src_ip":"10.11.23.101","src_port":49463,"dest_ip":"64.187.229.195","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-11-23T17:45:10.769725+0000","flow_id":2143153190666616,"pcap_cnt":165,"event_type":"fileinfo","src_ip":"64.187.229.195","src_port":80,"dest_ip":"10.11.23.101","dest_port":49463,"proto":"TCP","http":{"hostname":"sbpupvcwindows.blazewebtech.com","url":"\/US\/Black-Friday\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97130},"app_proto":"http","fileinfo":{"filename":"BF_COUPON_5302.doc","gaps":false,"state":"CLOSED","stored":false,"size":97024,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.227354+0000","flow_id":596922017085466,"pcap_cnt":169,"event_type":"dns","src_ip":"10.11.23.101","src_port":54988,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47911,"rrname":"www.atlantictoursrd.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":596922017085466,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"www.atlantictoursrd.com","rrtype":"CNAME","ttl":10800,"rdata":"atlantictoursrd.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":596922017085466,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"A","ttl":10800,"rdata":"166.62.74.3"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":596922017085466,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns40.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.356161+0000","flow_id":596922017085466,"pcap_cnt":170,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":54988,"proto":"UDP","dns":{"type":"answer","id":47911,"rcode":"NOERROR","rrname":"atlantictoursrd.com","rrtype":"NS","ttl":3600,"rdata":"ns39.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:45:45.480093+0000","flow_id":2131601878778011,"pcap_cnt":177,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:45:45.576387+0000","flow_id":2131601878778011,"pcap_cnt":179,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/www.atlantictoursrd.com\/dWUYS8Xoq\/","length":249},"app_proto":"http","fileinfo":{"filename":"\/dWUYS8Xoq","gaps":false,"state":"CLOSED","stored":false,"size":249,"tx_id":0}}
{"timestamp":"2018-11-23T17:45:45.582156+0000","flow_id":2131601878778011,"pcap_cnt":217,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-11-23T17:45:45.582156+0000","flow_id":2131601878778011,"pcap_cnt":217,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2022053,"rev":2,"signature":"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-11-23T17:45:45.582156+0000","flow_id":2131601878778011,"pcap_cnt":217,"event_type":"alert","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2018-11-23T17:45:45.654007+0000","flow_id":2131601878778011,"pcap_cnt":347,"event_type":"http","src_ip":"10.11.23.101","src_port":49465,"dest_ip":"166.62.74.3","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream"}}
{"timestamp":"2018-11-23T17:47:32.195554+0000","flow_id":1068369846639642,"pcap_cnt":367,"event_type":"http","src_ip":"10.11.23.101","src_port":49470,"dest_ip":"47.32.209.86","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:48:30.777030+0000","flow_id":1068369846639642,"pcap_cnt":369,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2018-11-23T17:48:32.707595+0000","flow_id":1068369846639642,"pcap_cnt":379,"event_type":"fileinfo","src_ip":"47.32.209.86","src_port":80,"dest_ip":"10.11.23.101","dest_port":49470,"proto":"TCP","http":{"hostname":"47.32.209.86","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1129},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":1129,"tx_id":1}}
{"timestamp":"2018-11-23T17:50:24.404762+0000","flow_id":1564322614627629,"pcap_cnt":409,"event_type":"http","src_ip":"10.11.23.101","src_port":49472,"dest_ip":"74.56.138.57","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"74.56.138.57","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2018-11-23T17:52:29.770133+0000","flow_id":1611928035352751,"pcap_cnt":1036,"event_type":"fileinfo","src_ip":"190.210.251.29","src_port":80,"dest_ip":"10.11.23.101","dest_port":49476,"proto":"TCP","http":{"hostname":"190.210.251.29","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":322581},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":322581,"tx_id":0}}
{"timestamp":"2018-11-23T17:53:57.835470+0000","flow_id":1069553135404517,"pcap_cnt":1916,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:53:58.019690+0000","flow_id":1069553135404517,"pcap_cnt":1918,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":501284},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":501284,"tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.042265+0000","flow_id":1775128215463193,"pcap_cnt":1919,"event_type":"dns","src_ip":"10.11.23.101","src_port":51092,"dest_ip":"10.11.23.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19283,"rrname":"usa.usagolfcar.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1775128215463193,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"198.55.107.148"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1775128215463193,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usa.usagolfcar.com","rrtype":"A","ttl":3600,"rdata":"104.223.89.132"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1775128215463193,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns77.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.142024+0000","flow_id":1775128215463193,"pcap_cnt":1920,"event_type":"dns","src_ip":"10.11.23.1","src_port":53,"dest_ip":"10.11.23.101","dest_port":51092,"proto":"UDP","dns":{"type":"answer","id":19283,"rcode":"NOERROR","rrname":"usagolfcar.com","rrtype":"NS","ttl":3600,"rdata":"ns78.domaincontrol.com"}}
{"timestamp":"2018-11-23T17:53:58.408318+0000","flow_id":1069553135404517,"pcap_cnt":1927,"event_type":"http","src_ip":"10.11.23.101","src_port":49480,"dest_ip":"23.94.123.231","dest_port":443,"proto":"TCP","tx_id":1,"http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-11-23T17:54:00.235679+0000","flow_id":1524409499533772,"pcap_cnt":1929,"event_type":"tls","src_ip":"10.11.23.101","src_port":49481,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc","issuerdn":"C=NA, ST=huxu, O=olooraf, CN=erux.fr\/emailAddress=neel@eyag.abc"}}
{"timestamp":"2018-11-23T17:54:01.415957+0000","flow_id":1069553135404517,"pcap_cnt":1943,"event_type":"fileinfo","src_ip":"23.94.123.231","src_port":443,"dest_ip":"10.11.23.101","dest_port":49480,"proto":"TCP","http":{"hostname":"23.94.123.231","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2018-11-23T17:54:02.993418+0000","flow_id":1578906192217972,"pcap_cnt":1946,"event_type":"tls","src_ip":"10.11.23.101","src_port":49482,"dest_ip":"198.55.107.148","dest_port":443,"proto":"TCP","tls":{"subject":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld","issuerdn":"C=LZ, ST=egiwoob, O=edilag, CN=uyude.ca\/emailAddress=hilu@sapo.tld"}}
{"timestamp":"2018-11-23T17:48:31.122061+0000","flow_id":2131601878778011,"event_type":"fileinfo","src_ip":"166.62.74.3","src_port":80,"dest_ip":"10.11.23.101","dest_port":49465,"proto":"TCP","http":{"hostname":"www.atlantictoursrd.com","url":"\/dWUYS8Xoq\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"application\/octet-stream","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":104073},"app_proto":"http","filei

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-alert-2018-11-24-T-06-43-21-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (1089 bytes) - download
1
2
3
4
5
11/23/2018-17:45:05.767380  [**] [1:2019613:3] ET POLICY Office Document Download Containing AutoOpen Macro [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:05.769051  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 64.187.229.195:80 -> 10.11.23.101:49463
11/23/2018-17:45:45.582156  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.582156  [**] [1:2022053:2] ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465
11/23/2018-17:45:45.582156  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 166.62.74.3:80 -> 10.11.23.101:49465


keyword_perf.log - (15486 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:43:21
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             17280322        5298            5298            1724061         3261.00         3261.00         0.00           
  content          42902391        3344            1244            5900524         12829.00        19354.00        8964.00        
  pcre             1380150         238             80              38295           5798.00         5849.00         5773.00        
  byte_test        213432          66              28              5898            3233.00         3681.00         2903.00        
  byte_jump        97490           29              10              4785            3361.00         3202.00         3445.00        
  isdataat         20942           7               0               3538            2991.00         0.00            2991.00        
  flowbits         2013848         706             30              6378            2852.00         3902.00         2805.00        
  urilen           547349          169             44              33269           3238.00         3742.00         3061.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             17280322        5298            5298            1724061         3261.00         3261.00         0.00           
  flowbits         1942802         691             15              4756            2811.00         3067.00         2805.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2828398         648             172             61429           4364.00         4532.00         4304.00        
  pcre             382192          74              7               21581           5164.00         5464.00         5133.00        
  byte_test        213432          66              28              5898            3233.00         3681.00         2903.00        
  byte_jump        65466           19              0               4785            3445.00         0.00            3445.00        
  isdataat         20942           7               0               3538            2991.00         0.00            2991.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         71046           15              15              6378            4736.00         4736.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          398722          116             19              8660            3437.00         4014.00         3324.00        
  pcre             352337          72              19              38295           4893.00         6157.00         4440.00        
  urilen           547349          169             44              33269           3238.00         3742.00         3061.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          39765           13              0               3581            3058.00         0.00            3058.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          35310157        1483            266             5900524         23809.00        75080.00        12603.00       
  pcre             27183           7               0               7651            3883.00         0.00            3883.00        
  byte_jump        32024           10              10              4749            3202.00         3202.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2631766         631             506             34677           4170.00         4217.00         3982.00        
  pcre             598640          82              54              22617           7300.00         5791.00         10211.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          177202          52              22              5714            3407.00         3618.00         3253.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6438            2               2               3493            3219.00         3219.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept_enc
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6250            2               2               3168            3125.00         3125.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3560            1               0               3560            3560.00         0.00            3560.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6172            2               2               3109            3086.00         3086.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4937            1               0               4937            4937.00         0.00            4937.00        
  pcre             13507           1               0               13507           13507.00        0.00            13507.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          204721          64              27              4646            3198.00         3399.00         3052.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1270439         325             223             17531           3909.00         4103.00         3483.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             6291            2               0               3237            3145.00         0.00            3145.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3284            1               0               3284            3284.00         0.00            3284.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          10580           3               3               4052            3526.00         3526.00         0.00           


suricata-report-2018-11-24-T-06-43-21-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (18350 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
elapsedtime:8.957421
stderr:
stdout:
24/11/2018 -- 06:43:12 - <Info> - Configuration node 'rule-files' redefined.
24/11/2018 -- 06:43:12 - <Notice> - This is Suricata version 4.0.0 RELEASE
24/11/2018 -- 06:43:12 - <Info> - CPUs/cores online: 1
24/11/2018 -- 06:43:12 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31978 and 'request-body-inspect-window' set to 16328 after randomization.
24/11/2018 -- 06:43:12 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33989 and 'response-body-inspect-window' set to 17102 after randomization.
24/11/2018 -- 06:43:12 - <Config> - DNS request flood protection level: 500
24/11/2018 -- 06:43:12 - <Config> - DNS per flow memcap (state-memcap): 524288
24/11/2018 -- 06:43:12 - <Config> - DNS global memcap: 16777216
24/11/2018 -- 06:43:12 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
24/11/2018 -- 06:43:12 - <Config> - preallocated 1000 hosts of size 136
24/11/2018 -- 06:43:12 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
24/11/2018 -- 06:43:12 - <Config> - using magic-file /usr/share/file/magic
24/11/2018 -- 06:43:12 - <Config> - Core dump size is unlimited.
24/11/2018 -- 06:43:12 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/11/2018 -- 06:43:12 - <Config> - preallocated 1000 defrag trackers of size 168
24/11/2018 -- 06:43:12 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
24/11/2018 -- 06:43:12 - <Config> - stream "prealloc-sessions": 2048 (per thread)
24/11/2018 -- 06:43:12 - <Config> - stream "memcap": 33554432
24/11/2018 -- 06:43:12 - <Config> - stream "midstream" session pickups: disabled
24/11/2018 -- 06:43:12 - <Config> - stream "async-oneside": disabled
24/11/2018 -- 06:43:12 - <Config> - stream "checksum-validation": disabled
24/11/2018 -- 06:43:12 - <Config> - stream."inline": disabled
24/11/2018 -- 06:43:12 - <Config> - stream "bypass": disabled
24/11/2018 -- 06:43:12 - <Config> - stream "max-synack-queued": 5
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly "memcap": 134217728
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly "depth": 0
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly "toserver-chunk-size": 2616
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly "toclient-chunk-size": 2631
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly.raw: enabled
24/11/2018 -- 06:43:12 - <Config> - stream.reassembly "segment-prealloc": 2048
24/11/2018 -- 06:43:12 - <Config> - Delayed detect disabled
24/11/2018 -- 06:43:12 - <Config> - pattern matchers: MPM: ac, SPM: bm
24/11/2018 -- 06:43:12 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
24/11/2018 -- 06:43:12 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
24/11/2018 -- 06:43:12 - <Config> - prefilter engines: MPM
24/11/2018 -- 06:43:12 - <Config> - IP reputation disabled
24/11/2018 -- 06:43:12 - <Perf> - Registered 148 keyword profiling counters.
24/11/2018 -- 06:43:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-ftp.rules
24/11/2018 -- 06:43:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-policy.rules
24/11/2018 -- 06:43:12 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-trojan.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-games.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-pop3.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-user_agents.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-activex.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-rpc.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-attack_response.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp.rules
24/11/2018 -- 06:43:13 - <Config> - No rules loaded from ET-emerging-icmp.rules.
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-scan.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-voip.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-chat.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-icmp_info.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-info.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-shellcode.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_client.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-imap.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_server.rules
24/11/2018 -- 06:43:13 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-current_events.rules
24/11/2018 -- 06:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-inappropriate.rules
24/11/2018 -- 06:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-smtp.rules
24/11/2018 -- 06:43:14 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-web_specific_apps.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-deleted.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-malware.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-snmp.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-worm.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dns.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-misc.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-sql.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-dos.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-netbios.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-telnet.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-exploit.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-p2p.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-tftp.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-emerging-mobile_malware.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-botcc.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-compromised.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-drop.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-dshield.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-tor.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/ET-ciarmy.rules
24/11/2018 -- 06:43:16 - <Config> - Loading rule file: /opt/suricata400/etc/etopen/local.rules
24/11/2018 -- 06:43:16 - <Config> - No rules loaded from local.rules.
24/11/2018 -- 06:43:16 - <Info> - 44 rule files processed. 18236 rules successfully loaded, 0 rules failed
24/11/2018 -- 06:43:16 - <Info> - Threshold config parsed: 0 rule(s) found
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tcp-packet
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tcp-stream
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for udp-packet
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for other-ip
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_uri
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_client_body
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_header
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_header_names
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_accept
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_accept_enc
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_accept_lang
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_referer
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_connection
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_content_len
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_content_type
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_protocol
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_start
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_raw_header
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_method
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_cookie
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_raw_uri
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_user_agent
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_host
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_raw_host
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_stat_msg
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_stat_code
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for dns_query
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tls_sni
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tls_cert_issuer
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tls_cert_subject
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for tls_cert_serial
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for dce_stub_data
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for ssh_protocol
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for ssh_software
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for file_data
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_request_line
24/11/2018 -- 06:43:16 - <Perf> - using shared mpm ctx' for http_response_line
24/11/2018 -- 06:43:16 - <Info> - 18241 signatures processed. 1175 are IP-only rules, 6125 are inspecting packet payload, 13172 inspect application layer, 0 are decoder event only
24/11/2018 -- 06:43:16 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
24/11/2018 -- 06:43:17 - <Perf> - TCP toserver: 41 port groups, 40 unique SGH's, 1 copies
24/11/2018 -- 06:43:17 - <Perf> - TCP toclient: 21 port groups, 21 unique SGH's, 0 copies
24/11/2018 -- 06:43:17 - <Perf> - UDP toserver: 41 port groups, 33 unique SGH's, 8 copies
24/11/2018 -- 06:43:17 - <Perf> - UDP toclient: 21 port groups, 15 unique SGH's, 6 copies
24/11/2018 -- 06:43:17 - <Perf> - OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
24/11/2018 -- 06:43:17 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
24/11/2018 -- 06:43:18 - <Perf> - Unique rule groups: 111
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toserver TCP packet": 31
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toclient TCP packet": 20
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toserver TCP stream": 31
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toclient TCP stream": 21
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toserver UDP packet": 33
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "toclient UDP packet": 15
24/11/2018 -- 06:43:18 - <Perf> - Builtin MPM "other IP packet": 2
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_uri": 8
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_request_line": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_client_body": 6
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_response_line": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_header": 6
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_header": 3
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_header_names": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_accept": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_referer": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_content_len": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_content_type": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_content_type": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_start": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_method": 3
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_cookie": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_cookie": 2
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_user_agent": 4
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver http_host": 2
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient http_stat_code": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver dns_query": 4
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver tls_sni": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toserver file_data": 1
24/11/2018 -- 06:43:18 - <Perf> - AppLayer MPM "toclient file_data": 5
24/11/2018 -- 06:43:18 - <Perf> - Registered 18241 rule profiling counters.
24/11/2018 -- 06:43:18 - <Info> - fast output device (regular) initialized: alert
24/11/2018 -- 06:43:18 - <Info> - eve-log output device (regular) initialized: eve.json
24/11/2018 -- 06:43:18 - <Config> - enabling 'eve-log' module 'alert'
24/11/2018 -- 06:43:18 - <Config> - enabling 'eve-log' module 'http'
24/11/2018 -- 06:43:18 - <Config> - enabling 'eve-log' module 'dns'
24/11/2018 -- 06:43:18 - <Config> - enabling 'eve-log' module 'tls'
24/11/2018 -- 06:43:18 - <Config> - enabling 'eve-l

This file has been truncated. Go here to download in full.


suricata-4.0.0-etopen-all-perf.txt-2018-11-24-T-06-43-21-11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap.txt - (37335 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/24/2018 -- 06:43:21. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2014473      1        5        13984803     7.83   263      0        12418587    53174.16    0.00        53174.16   
  2        2018342      1        2        7311756      4.09   11       0        6207904     664705.09   0.00        664705.09  
  3        2020865      1        3        32290698     18.08  206      0        5971459     156750.96   0.00        156750.96  
  4        2017552      1        6        28430758     15.92  1498     0        5969319     18979.14    0.00        18979.14   
  5        2024228      1        3        2921551      1.64   25       0        1315289     116862.04   0.00        116862.04  
  6        2016855      1        2        223498       0.13   1        0        223498      223498.00   0.00        223498.00  
  7        2012520      1        7        193560       0.11   1        1        193560      193560.00   193560.00   0.00       
  8        2023679      1        3        184019       0.10   1        0        184019      184019.00   0.00        184019.00  
  9        2016854      1        3        179569       0.10   1        0        179569      179569.00   0.00        179569.00  
  10       2021735      1        4        530417       0.30   16       0        173327      33151.06    0.00        33151.06   
  11       2016537      1        2        21103798     11.82  1480     0        152584      14259.32    0.00        14259.32   
  12       2018358      1        7        1549321      0.87   17       0        148606      91136.53    0.00        91136.53   
  13       2019837      1        3        153461       0.09   9        1        130986      17051.22    130986.00   2809.38    
  14       2017373      1        6        781793       0.44   7        0        128805      111684.71   0.00        111684.71  
  15       2024769      1        2        985182       0.55   10       0        123685      98518.20    0.00        98518.20   
  16       2016858      1        10       577268       0.32   17       0        104982      33956.94    0.00        33956.94   
  17       2019344      1        5        1017912      0.57   17       1        102512      59877.18    79525.00    58649.19   
  18       2021736      1        3        390101       0.22   16       0        99604       24381.31    0.00        24381.31   
  19       2022049      1        3        503238       0.28   17       2        97436       29602.24    85289.50    22177.27   
  20       2019613      1        3        151304       0.08   8        1        96804       18913.00    96804.00    7785.71    
  21       2024771      1        1        2446677      1.37   364      0        93833       6721.64     0.00        6721.64    
  22       2021743      1        4        363047       0.20   16       0        89613       22690.44    0.00        22690.44   
  23       2022054      1        3        154640       0.09   2        0        80005       77320.00    0.00        77320.00   
  24       2023671      1        4        76867        0.04   1        0        76867       76867.00    0.00        76867.00   
  25       2014519      1        7        4547281      2.55   225      0        68247       20210.14    0.00        20210.14   
  26       2019881      1        3        626876       0.35   17       0        67663       36875.06    0.00        36875.06   
  27       2018005      1        6        740111       0.41   16       0        66459       46256.94    0.00        46256.94   
  28       2021266      1        2        67804        0.04   2        0        65253       33902.00    0.00        33902.00   
  29       2018242      1        5        609074       0.34   17       0        65068       35827.88    0.00        35827.88   
  30       2024829      1        2        2671331      1.50   127      0        63976       21034.10    0.00        21034.10   
  31       2022262      1        3        552594       0.31   17       0        62646       32505.53    0.00        32505.53   
  32       2024650      1        1        2047672      1.15   321      0        60771       6379.04     0.00        6379.04    
  33       2017613      1        9        607045       0.34   17       0        60224       35708.53    0.00        35708.53   
  34       2019345      1        2        648231       0.36   42       0        60077       15434.07    0.00        15434.07   
  35       2018959      1        3        59948        0.03   1        1        59948       59948.00    59948.00    0.00       
  36       2008575      1        5        636250       0.36   67       0        59863       9496.27     0.00        9496.27    
  37       2023315      1        2        654313       0.37   17       0        59508       38489.00    0.00        38489.00   
  38       2018958      1        18       714077       0.40   17       0        59241       42004.53    0.00        42004.53   
  39       2022339      1        2        786749       0.44   17       0        59114       46279.35    0.00        46279.35   
  40       2018241      1        2        58023        0.03   1        0        58023       58023.00    0.00        58023.00   
  41       2023875      1        2        546384       0.31   17       0        56301       32140.24    0.00        32140.24   
  42       2022220      1        2        653679       0.37   17       0        55813       38451.71    0.00        38451.71   
  43       2024272      1        4        403644       0.23   14       0        55557       28831.71    0.00        28831.71   
  44       2025064      1        5        683793       0.38   18       0        55161       37988.50    0.00        37988.50   
  45       2020388      1        8        477521       0.27   18       0        55153       26528.94    0.00        26528.94   
  46       2024909      1        2        2134771      1.20   105      0        54933       20331.15    0.00        20331.15   
  47       2024777      1        2        383364       0.21   108      0        54121       3549.67     0.00        3549.67    
  48       2003492      1        30       398501       0.22   17       0        53505       23441.24    0.00        23441.24   
  49       2014353      1        6        52387        0.03   1        0        52387       52387.00    0.00        52387.00   
  50       2022552      1        2        4263664      2.39   215      0        51604       19831.00    0.00        19831.00   
  51       2021075      1        2        146762       0.08   4        0        51459       36690.50    0.00        36690.50   
  52       2020705      1        4        418293       0.23   17       0        50024       24605.47    0.00        24605.47   
  53       2022503      1        2        600172       0.34   17       0        49987       35304.24    0.00        35304.24   
  54       2022207      1        4        510615       0.29   17       0        49497       30036.18    0.00        30036.18   
  55       2001330      1        8        4229185      2.37   1500     0        48987       2819.46     0.00        2819.46    
  56       2021070      1        2        84165        0.05   2        2        48690       42082.50    42082.50    0.00       
  57       2017816      1        4        575462       0.32   16       0        48130       35966.38    0.00        35966.38   
  58       2018281      1        4        99307        0.06   13       0        47992       7639.00     0.00        7639.00    
  59       2021413      1        2        47954        0.03   1        0        47954       47954.00    0.00        47954.00   
  60       2013352      1        4        47454        0.03   1        0        47454       47454.00    0.00        47454.00   
  61       2023672      1        4        47024        0.03   1        0        47024       47024.00    0.00        47024.00   
  62       2018452      1        15       600131       0.34   17       0        45557       35301.82    0.00        35301.82   
  63       2023670      1        3        613025       0.34   17       3        45301       36060.29    42260.33    34731.71   
  64       2018477      1        1        487183       0.27   44       0        44117       11072.34    0.00        11072.34   
  65       2021151      1        1        179836       0.10   38       0        43872       4732.53     0.00        4732.53    
  66       2016502      1        2        1597800      0.89   265      0        43819       6029.43     0.00        6029.43    
  67       2017261      1        3        42866        0.02   1        0        42866       42866.00    0.00        42866.00   
  68       2019693      1        5        511427       0.29   17       0        42604       30083.94    0.00        30083.94   
  69       2022502      1        4        119743       0.07   3        0        42015       39914.33    0.00        39914.33   
  70       2009028      1        11       41767        0.02   1        0        41767       41767.00    0.00        41767.00   
  71       2021067      1        2        111622       0.06   3        2        41416       37207.33    40411.00    30800.00   
  72       2018981      1        4        499389       0.28   17       0        39995       29375.82    0.00        29375.82   
  73       2021073      1        2        69455        0.04   2        1        39626       34727.50    39626.00    29829.00   
  74       2018983      1        7        461202       0.26   17       0        38773       27129.53    0.00        27129.53   
  75       2003657      1        18       405225       0.23   17       0        38304       23836.76    0.00        23836.76   
  76       2022053      1        2        38107        0.02   1        1        38107       38107.00    38107.00    0.00       
  77       2020369      1        3        37926        0.02   1        0        37926       37926.00    0.00        37926.00   
  78       2018054      1        1        37784        0.02   1        0        37784       37784.00    0.00        37784.00   
  79       2013827      1        6        126289       0.07   4        0        37512       31572.25    0.00        31572.25   
  80       2019094      1        5        37247        0.02   1        0        37247       37247.00    0.00        37247.00   
  81       2024178      1        2        388204       0.22   17       0        36356       22835.53    0.00        22835.53   
  82       2024767      1        2        491510       0.28   17       0        36240       28912.35    0.00        28912.35   
  83       2022609      1        2        67359        0.04   2        0        35502       33679.50    0.00        33679.50   
  84       2023916      1        2        35490        0.02   1        0        35490       35490.00    0.00        35490.00   
  85       2024601      1        2        35250        0.02   1        0        35250       35250.00    0.00        35250.00   
  86       2022901      1        2        35238        0.02   1        0        35238       35238.00    0.00        35238.00   
  87       2020380      1        3        379161       0.21   17       0        35018       22303.59    0.00        22303.59   
  88       2016112      1        3        1079612      0.60   187      0        34548       5773.33     0.00        5773.33    
  89       2021418      1        9        34485        0.02   1        0        34485       34485.00    0.00        34485.00   
  90       2011894      1        19       473030       0.26   17       0        34097       27825.29    0.00        27825.29   
  91       2016223      1        10       362189       0.20   17       0        33672       21305.24    0.00        21305.24   
  92       2012612      1        16       389413       0.22   17       0        33456       22906.65    0.00        22906.65   
  93       2022197      1        3        90539        0.05   3        0        32749       30179.67    0.00        30179.67   
  94       2015877      1        6        32382        0.02   1        0        32382       32382.00    0.00        32382.00   
  95       2019343      1        3        31329        0.02   1        0        31329       31329.00    0.00        31329.00   
  96       2014520      1        6        625186       0.35   99       1        31194       6315.01     13343.00    6243.30    
  97       2021068      1        2        121961       0.07   4        0        31115       30490.25    0.00        30490.25   
  98       2018496      1        9        475608       0.27   17       0        30526       27976.94    0.00        27976.94   
  99       2019834      1        2        30478        0.02   1        1        30478       30478.00    30478.00    0.00       
  100      2022203      1        2        60366        0.03   2        0        30347       30183.00    0.00        30183.00   
  101      2025162      1        2        59118        0.03   2        0        29937       29559.00    0.00        29559.00   
  102      2022198      1        2        116662       0.07   4        0        29678       29165.50    0.00        29165.50   
  103      2019230      1        2        146236       0.08   14       0        29506       10445.43    0.00        10445.43   
  104      2020202      1        2        58444        0.03   2        0        29446       29222.00    0.00        29222.00   
  105      2022200      1        2        57211        0.03   2        0        29321       28605.50    0.00        28605.50   
  106      2018086      1        5        182496       0.10   9        0        28955       20277.33    0.00        20277.33   
  107      2022205      1        2        109480       0.06   4        0        28426       27370.00    0.00        27370.00   
  108      2018375      1        3        872102       0.49   65       0        28338       13416.95    0.00        13416.95   
  109      2020181      1        8        28227        0.02   1        0        28227       28227.00    0.00        28227.00   
  110      2017948      1        2        28131        0.02   1        0        28131       28131.00    0.00        28131.00   
  111      2009702      1        5        192838       0.11   14       0        27660       13774.14    0.00        13774.14   
  112      2100327      1        10       48746        0.03   7        0        27507       6963.71     0.00        6963.71    
  113      2018576      1        4        218086       0.12   11       0        27177       19826.00    0.00        19826.00   
  114      2020771      1        2        26680        0.01   1        0        26680       26680.00    0.00        26680.00   
  115      2008782      1        5        26232        0.01   1        0        26232       26232.00    0.00        26232.00   
  116      2017093      1        2        51383        0.03   2        0        26061       25691.50    0.00        25691.50   
  117      2014701      1        12       171486       0.10   14       0        24368       12249.00    0.00        12249.00   
  118      2012707      1        5        281787       0.16   13       0        24217       21675.92    0.00        21675.92   
  119      2018010      1        5        360912       0.20   17       0        24146       21230.12    0.00        21230.12   
  120      2016948      1        2        1331038      0.75   234      0        23862       5688.20     0.00        5688.20    
  121      2022055      1        2        215916       0.12   11       0        23583       19628.73    0.00        19628.73   
  122      2020855      1        3        23208        0.01   1        0        23208       23208.00    0.00        23208.00   
  123      2020776      1        2        23173        0.01   1        0        23173       23173.00    0.00        23173.00   
  124      2024606      1        2        23077        0.01   1        0        23077       23077.00    0.00        23077.00   
  125      2018287      1        2        

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1183 bytes) - download
1
2
3
4
5
6
7
8
2018-11-24 06:43:11,454 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-24 06:43:12,167 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-24 06:43:12,167 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etopen-all
2018-11-24 06:43:12,167 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-24 06:43:12,167 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-24 06:43:12,167 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etopen/suricata400-etopen-all.yaml -l /var/www/html/e0350bf4bf277b51967d5ff5e696872fd2a6d3ad9c956d904083161fa55f2f7a -r /var/pcap/11242018.0605-2018-11-23-Emotet-infection-with-Gootkit.pcap -vvv -k none
2018-11-24 06:43:21,127 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-24 06:43:21,127 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 9.68116188049