1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 5877 12354376 1923950190 1039636068 6109.9b 98.03
IPv4 17 123 12446790 1919785140 924558532 113.7b 1.82
IPv6 17 12 11859408 1371627274 753076931 9.0b 0.14
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 5877 113588 33632874 364321 2.1b 93.26
TMM_FLOWWORKER IPv4 17 123 204726 10714496 774469 95.3m 4.15
TMM_RECEIVEPCAPFILE IPv4 6 5505 4422 155380 4841 26.7m 1.16
TMM_RECEIVEPCAPFILE IPv4 17 123 4438 22228 4827 593.8k 0.03
TMM_DECODEPCAPFILE IPv4 6 5505 4550 82546 4872 26.8m 1.17
TMM_DECODEPCAPFILE IPv4 17 123 4568 17488 5184 637.7k 0.03
TMM_FLOWWORKER IPv6 17 12 187410 645828 373831 4.5m 0.20
TMM_RECEIVEPCAPFILE IPv6 17 12 4466 5304 4691 56.3k 0.00
TMM_DECODEPCAPFILE IPv6 17 12 4672 45640 9115 109.4k 0.00
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 5505 4730 6549588 8137 44.8m 2.19
flow IPv4 17 123 4762 23578 7763 954.9k 0.05
stream IPv4 6 5877 4576 1013110 23560 138.5m 6.76
app-layer IPv4 17 123 4428 106636 24083 3.0m 0.14
detect IPv4 6 5877 76732 33542768 296024 1.7b 84.96
detect IPv4 17 123 176788 10679358 644672 79.3m 3.87
tcp-prune IPv4 6 5877 4430 6759954 6339 37.3m 1.82
flow IPv6 17 12 4962 32712 9149 109.8k 0.01
app-layer IPv6 17 12 4470 54324 11729 140.8k 0.01
detect IPv6 17 12 159556 579212 333789 4.0m 0.20
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
tls IPv4 6 372 4500 68626 5580 2.1m 62.83
tls IPv4 17 4 4766 124262 35773 143.1k 4.33
dns IPv4 17 107 5218 38342 8849 946.9k 28.66
tls IPv6 17 2 5100 124262 64681 129.4k 3.92
dns IPv6 17 1 8726 8726 8726 8.7k 0.26
Proto detect IPv4 17 111 4706 22696 8103 899.5k
Proto detect IPv6 17 4 5594 42622 15310 61.2k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 106 28608 608994 82954 8.8m 27.70
LOGGER_JSON_TLS IPv4 6 368 35204 167432 62372 23.0m 72.30
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 2850 4452 33100972 38288 109.1m 43.77
payload IPv4 17 123 5246 2215664 65123 8.0m 3.21
stream IPv4 6 2850 4412 10822980 42292 120.5m 48.35
dns_query IPv4 17 53 4702 59210 20626 1.1m 0.44
tls_sni IPv4 6 368 5204 68358 7168 2.6m 1.06
tls_cert_issuer IPv4 6 368 5034 32234 7019 2.6m 1.04
tls_cert_subject IPv4 6 368 4766 91168 6542 2.4m 0.97
tls_cert_serial IPv4 6 368 4754 35374 6210 2.3m 0.92
Total IPv4 7348 33842 248.7m
payload IPv6 17 12 5466 171516 51515 618.2k 0.25
Total IPv6 12 51515 618.2k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 741 5272 154844 33408 24.8m 1.30
PROF_DETECT_IPONLY IPv4 17 111 41618 256196 57481 6.4m 0.33
PROF_DETECT_RULES IPv4 6 5877 4416 12133026 125442 737.2m 38.66
PROF_DETECT_RULES IPv4 17 123 76802 724984 293518 36.1m 1.89
PROF_DETECT_STATEFUL_CONT IPv4 6 5877 4388 90826 7632 44.9m 2.35
PROF_DETECT_STATEFUL_CONT IPv4 17 123 4454 106576 9536 1.2m 0.06
PROF_DETECT_STATEFUL_UPDATE IPv4 6 3698 4440 6327942 6795 25.1m 1.32
PROF_DETECT_STATEFUL_UPDATE IPv4 17 106 4548 21368 5343 566.4k 0.03
PROF_DETECT_PREFILTER IPv4 6 5877 13508 33156800 79834 469.2m 24.60
PROF_DETECT_PREFILTER IPv4 17 123 41072 10469976 206190 25.4m 1.33
PROF_DETECT_PF_PAYLOAD IPv4 6 2850 22480 33123108 101271 288.6m 15.14
PROF_DETECT_PF_PAYLOAD IPv4 17 123 14166 2225468 74849 9.2m 0.48
PROF_DETECT_PF_TX IPv4 6 3698 4482 146342 9950 36.8m 1.93
PROF_DETECT_PF_TX IPv4 17 53 13658 69850 30534 1.6m 0.08
PROF_DETECT_PF_SORT1 IPv4 6 2213 4412 40836 5408 12.0m 0.63
PROF_DETECT_PF_SORT1 IPv4 17 123 4466 22122 6090 749.2k 0.04
PROF_DETECT_PF_SORT2 IPv4 6 5877 4402 207662 4974 29.2m 1.53
PROF_DETECT_PF_SORT2 IPv4 17 123 4442 11032 5489 675.2k 0.04
PROF_DETECT_NONMPMLIST IPv4 6 5877 4404 13435002 7392 43.4m 2.28
PROF_DETECT_NONMPMLIST IPv4 17 123 4424 29578 5779 710.9k 0.04
PROF_DETECT_ALERT IPv4 6 5877 4396 424706 4960 29.2m 1.53
PROF_DETECT_ALERT IPv4 17 123 4420 6178 4792 589.4k 0.03
PROF_DETECT_CLEANUP IPv4 6 5877 4448 6556012 7291 42.9m 2.25
PROF_DETECT_CLEANUP IPv4 17 123 4418 39572 5957 732.7k 0.04
PROF_DETECT_GETSGH IPv4 6 5877 4406 106302 5823 34.2m 1.79
PROF_DETECT_GETSGH IPv4 17 123 4612 33610 9922 1.2m 0.06
PROF_DETECT_IPONLY IPv6 17 4 7342 66808 24596 98.4k 0.01
PROF_DETECT_RULES IPv6 17 12 58798 252304 150023 1.8m 0.09
PROF_DETECT_STATEFUL_CONT IPv6 17 12 4446 4800 4657 55.9k 0.00
PROF_DETECT_PREFILTER IPv6 17 12 41644 211258 92361 1.1m 0.06
PROF_DETECT_PF_PAYLOAD IPv6 17 12 14448 180410 60599 727.2k 0.04
PROF_DETECT_PF_SORT1 IPv6 17 12 4538 21244 6884 82.6k 0.00
PROF_DETECT_PF_SORT2 IPv6 17 12 4452 18876 6304 75.7k 0.00
PROF_DETECT_NONMPMLIST IPv6 17 12 4424 5792 5156 61.9k 0.00
PROF_DETECT_ALERT IPv6 17 12 4446 5464 4600 55.2k 0.00
PROF_DETECT_CLEANUP IPv6 17 12 4446 8256 5308 63.7k 0.00
PROF_DETECT_GETSGH IPv6 17 12 4466 100646 17604 211.3k 0.01
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | ------------------------------------------------------------------------------------
Date: 10/15/2019 -- 09:44:35 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 7082
decoder.bytes | Total | 2443240
decoder.ipv4 | Total | 5628
decoder.ipv6 | Total | 12
decoder.ethernet | Total | 7082
decoder.tcp | Total | 5505
decoder.udp | Total | 135
decoder.avg_pkt_size | Total | 344
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 372
flow.udp | Total | 63
tcp.sessions | Total | 372
tcp.syn | Total | 372
tcp.synack | Total | 369
tcp.rst | Total | 367
tcp.overlap | Total | 1
detect.mpm_list | Total | 3
detect.nonmpm_list | Total | 3
detect.match_list | Total | 4
app_layer.flow.tls | Total | 368
app_layer.flow.failed_tcp | Total | 1
app_layer.flow.dns_udp | Total | 52
app_layer.tx.dns_udp | Total | 53
app_layer.flow.failed_udp | Total | 11
flow.spare | Total | 10000
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65536
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7083808
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | {"timestamp":"2019-09-18T13:34:33.898697+0000","flow_id":1791126762272393,"pcap_cnt":12,"event_type":"dns","src_ip":"192.168.100.237","src_port":62014,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61364,"rrname":"www.shorico.club","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:33.922720+0000","flow_id":1791126762272393,"pcap_cnt":13,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":62014,"proto":"UDP","dns":{"type":"answer","id":61364,"rcode":"NOERROR","rrname":"www.shorico.club","rrtype":"A","ttl":1799,"rdata":"174.139.17.166"}}
{"timestamp":"2019-09-18T13:34:35.203384+0000","flow_id":605838195292234,"pcap_cnt":34,"event_type":"tls","src_ip":"192.168.100.237","src_port":49184,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:35.205960+0000","flow_id":2148745066838153,"pcap_cnt":38,"event_type":"tls","src_ip":"192.168.100.237","src_port":49185,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:36.477163+0000","flow_id":1029753614911467,"pcap_cnt":61,"event_type":"dns","src_ip":"192.168.100.237","src_port":52609,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28534,"rrname":"shorico.club","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:36.494106+0000","flow_id":1029753614911467,"pcap_cnt":62,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52609,"proto":"UDP","dns":{"type":"answer","id":28534,"rcode":"NOERROR","rrname":"shorico.club","rrtype":"A","ttl":59,"rdata":"174.139.17.166"}}
{"timestamp":"2019-09-18T13:34:36.545870+0000","flow_id":1647936847776720,"pcap_cnt":76,"event_type":"tls","src_ip":"192.168.100.237","src_port":49207,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:36.548747+0000","flow_id":329356118101017,"pcap_cnt":80,"event_type":"tls","src_ip":"192.168.100.237","src_port":49208,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:37.831449+0000","flow_id":941416875143129,"pcap_cnt":111,"event_type":"dns","src_ip":"192.168.100.237","src_port":65096,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16477,"rrname":"shorico.xyz","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:37.849197+0000","flow_id":941416875143129,"pcap_cnt":112,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":65096,"proto":"UDP","dns":{"type":"answer","id":16477,"rcode":"NOERROR","rrname":"shorico.xyz","rrtype":"A","ttl":59,"rdata":"74.82.222.159"}}
{"timestamp":"2019-09-18T13:34:37.901510+0000","flow_id":1053895626192675,"pcap_cnt":126,"event_type":"tls","src_ip":"192.168.100.237","src_port":49230,"dest_ip":"74.82.222.159","dest_port":443,"proto":"TCP","tls":{"subject":"CN=74.82.222.159","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:37.903211+0000","flow_id":526192321886040,"pcap_cnt":130,"event_type":"tls","src_ip":"192.168.100.237","src_port":49231,"dest_ip":"74.82.222.159","dest_port":443,"proto":"TCP","tls":{"subject":"CN=74.82.222.159","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:38.039860+0000","flow_id":1140928843520948,"pcap_cnt":131,"event_type":"dns","src_ip":"192.168.100.237","src_port":55785,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28008,"rrname":"api.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.041344+0000","flow_id":2244872877547904,"pcap_cnt":132,"event_type":"dns","src_ip":"192.168.100.237","src_port":54112,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58465,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.041525+0000","flow_id":410786550686261,"pcap_cnt":133,"event_type":"dns","src_ip":"192.168.100.237","src_port":50237,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63022,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.041583+0000","flow_id":875169152148079,"pcap_cnt":134,"event_type":"dns","src_ip":"192.168.100.237","src_port":52496,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29182,"rrname":"api.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.041637+0000","flow_id":1312592243892901,"pcap_cnt":135,"event_type":"dns","src_ip":"192.168.100.237","src_port":60900,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8289,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.041782+0000","flow_id":362442398802742,"pcap_cnt":136,"event_type":"dns","src_ip":"192.168.100.237","src_port":63820,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46697,"rrname":"www.bing.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:38.045165+0000","flow_id":1140928843520948,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":55785,"proto":"UDP","dns":{"type":"answer","id":28008,"rcode":"NOERROR","rrname":"api.bing.com","rrtype":"CNAME","ttl":3086,"rdata":"api-bing-com.e-0001.e-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.045165+0000","flow_id":1140928843520948,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":55785,"proto":"UDP","dns":{"type":"answer","id":28008,"rcode":"NOERROR","rrname":"api-bing-com.e-0001.e-msedge.net","rrtype":"CNAME","ttl":597,"rdata":"e-0001.e-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.045165+0000","flow_id":1140928843520948,"pcap_cnt":137,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":55785,"proto":"UDP","dns":{"type":"answer","id":28008,"rcode":"NOERROR","rrname":"e-0001.e-msedge.net","rrtype":"A","ttl":238,"rdata":"13.107.5.80"}}
{"timestamp":"2019-09-18T13:34:38.046953+0000","flow_id":875169152148079,"pcap_cnt":138,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52496,"proto":"UDP","dns":{"type":"answer","id":29182,"rcode":"NOERROR","rrname":"api.bing.com","rrtype":"CNAME","ttl":2951,"rdata":"api-bing-com.e-0001.e-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.046953+0000","flow_id":875169152148079,"pcap_cnt":138,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52496,"proto":"UDP","dns":{"type":"answer","id":29182,"rcode":"NOERROR","rrname":"api-bing-com.e-0001.e-msedge.net","rrtype":"CNAME","ttl":462,"rdata":"e-0001.e-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.046953+0000","flow_id":875169152148079,"pcap_cnt":138,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52496,"proto":"UDP","dns":{"type":"answer","id":29182,"rcode":"NOERROR","rrname":"e-0001.e-msedge.net","rrtype":"A","ttl":103,"rdata":"13.107.5.80"}}
{"timestamp":"2019-09-18T13:34:38.047604+0000","flow_id":362442398802742,"pcap_cnt":139,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":63820,"proto":"UDP","dns":{"type":"answer","id":46697,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":1049,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-09-18T13:34:38.047604+0000","flow_id":362442398802742,"pcap_cnt":139,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":63820,"proto":"UDP","dns":{"type":"answer","id":46697,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":57,"rdata":"dual-a-0001.a-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.047604+0000","flow_id":362442398802742,"pcap_cnt":139,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":63820,"proto":"UDP","dns":{"type":"answer","id":46697,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":31,"rdata":"204.79.197.200"}}
{"timestamp":"2019-09-18T13:34:38.047604+0000","flow_id":362442398802742,"pcap_cnt":139,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":63820,"proto":"UDP","dns":{"type":"answer","id":46697,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":31,"rdata":"13.107.21.200"}}
{"timestamp":"2019-09-18T13:34:38.053683+0000","flow_id":2244872877547904,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":54112,"proto":"UDP","dns":{"type":"answer","id":58465,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":1806,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-09-18T13:34:38.053683+0000","flow_id":2244872877547904,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":54112,"proto":"UDP","dns":{"type":"answer","id":58465,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":51,"rdata":"dual-a-0001.a-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.053683+0000","flow_id":2244872877547904,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":54112,"proto":"UDP","dns":{"type":"answer","id":58465,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":10,"rdata":"204.79.197.200"}}
{"timestamp":"2019-09-18T13:34:38.053683+0000","flow_id":2244872877547904,"pcap_cnt":140,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":54112,"proto":"UDP","dns":{"type":"answer","id":58465,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":10,"rdata":"13.107.21.200"}}
{"timestamp":"2019-09-18T13:34:38.061685+0000","flow_id":1312592243892901,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":60900,"proto":"UDP","dns":{"type":"answer","id":8289,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":825,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-09-18T13:34:38.061685+0000","flow_id":1312592243892901,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":60900,"proto":"UDP","dns":{"type":"answer","id":8289,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":59,"rdata":"dual-a-0001.a-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.061685+0000","flow_id":1312592243892901,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":60900,"proto":"UDP","dns":{"type":"answer","id":8289,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":24,"rdata":"204.79.197.200"}}
{"timestamp":"2019-09-18T13:34:38.061685+0000","flow_id":1312592243892901,"pcap_cnt":141,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":60900,"proto":"UDP","dns":{"type":"answer","id":8289,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":24,"rdata":"13.107.21.200"}}
{"timestamp":"2019-09-18T13:34:38.071976+0000","flow_id":410786550686261,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":50237,"proto":"UDP","dns":{"type":"answer","id":63022,"rcode":"NOERROR","rrname":"www.bing.com","rrtype":"CNAME","ttl":825,"rdata":"a-0001.a-afdentry.net.trafficmanager.net"}}
{"timestamp":"2019-09-18T13:34:38.071976+0000","flow_id":410786550686261,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":50237,"proto":"UDP","dns":{"type":"answer","id":63022,"rcode":"NOERROR","rrname":"a-0001.a-afdentry.net.trafficmanager.net","rrtype":"CNAME","ttl":59,"rdata":"dual-a-0001.a-msedge.net"}}
{"timestamp":"2019-09-18T13:34:38.071976+0000","flow_id":410786550686261,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":50237,"proto":"UDP","dns":{"type":"answer","id":63022,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":24,"rdata":"204.79.197.200"}}
{"timestamp":"2019-09-18T13:34:38.071976+0000","flow_id":410786550686261,"pcap_cnt":142,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":50237,"proto":"UDP","dns":{"type":"answer","id":63022,"rcode":"NOERROR","rrname":"dual-a-0001.a-msedge.net","rrtype":"A","ttl":24,"rdata":"13.107.21.200"}}
{"timestamp":"2019-09-18T13:34:40.204668+0000","flow_id":213207317802244,"pcap_cnt":186,"event_type":"tls","src_ip":"192.168.100.237","src_port":49267,"dest_ip":"204.79.197.200","dest_port":443,"proto":"TCP","tls":{"subject":"CN=204.79.197.200","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:40.210106+0000","flow_id":1505165692693823,"pcap_cnt":190,"event_type":"tls","src_ip":"192.168.100.237","src_port":49266,"dest_ip":"204.79.197.200","dest_port":443,"proto":"TCP","tls":{"subject":"CN=204.79.197.200","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:41.376099+0000","flow_id":2162383735818801,"pcap_cnt":230,"event_type":"tls","src_ip":"192.168.100.237","src_port":49287,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:41.376769+0000","flow_id":1929774749518464,"pcap_cnt":234,"event_type":"tls","src_ip":"192.168.100.237","src_port":49286,"dest_ip":"174.139.17.166","dest_port":443,"proto":"TCP","tls":{"subject":"CN=174.139.17.166","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:42.505329+0000","flow_id":787014948664817,"pcap_cnt":255,"event_type":"dns","src_ip":"192.168.100.237","src_port":52322,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49263,"rrname":"fpdownload.macromedia.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-09-18T13:34:42.538804+0000","flow_id":787014948664817,"pcap_cnt":256,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52322,"proto":"UDP","dns":{"type":"answer","id":49263,"rcode":"NOERROR","rrname":"fpdownload.macromedia.com","rrtype":"CNAME","ttl":297,"rdata":"fpdownload.macromedia.com.edgekey.net"}}
{"timestamp":"2019-09-18T13:34:42.538804+0000","flow_id":787014948664817,"pcap_cnt":256,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52322,"proto":"UDP","dns":{"type":"answer","id":49263,"rcode":"NOERROR","rrname":"fpdownload.macromedia.com.edgekey.net","rrtype":"CNAME","ttl":208,"rdata":"e13914.dscd.akamaiedge.net"}}
{"timestamp":"2019-09-18T13:34:42.538804+0000","flow_id":787014948664817,"pcap_cnt":256,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.237","dest_port":52322,"proto":"UDP","dns":{"type":"answer","id":49263,"rcode":"NOERROR","rrname":"e13914.dscd.akamaiedge.net","rrtype":"A","ttl":19,"rdata":"2.18.235.69"}}
{"timestamp":"2019-09-18T13:34:42.960890+0000","flow_id":1130616627265845,"pcap_cnt":282,"event_type":"tls","src_ip":"192.168.100.237","src_port":49312,"dest_ip":"74.82.222.159","dest_port":443,"proto":"TCP","tls":{"subject":"CN=74.82.222.159","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-09-18T13:34:43.744956+0000","flow_id":262152765192997,"pcap_cnt":327,"event_type":"tls","src_ip":"192.168.100.237","src_port":49306,"dest_ip":"2.18.235.69","dest_port":443,"proto":"TCP","tls":{"subject":"CN=fpdownload.macromedia.com","issuerdn":"C=A
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e0d6313642c187eacca4e1907246cee756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10152019.0944-0693e523-6228-43fa-af9b-758688062c11.pcap -vvv -k none
elapsedtime:24.350228
stderr:
stdout:
15/10/2019 -- 09:44:11 - <Info> - Configuration node 'rule-files' redefined.
15/10/2019 -- 09:44:11 - <Notice> - This is Suricata version 4.0.0 RELEASE
15/10/2019 -- 09:44:11 - <Info> - CPUs/cores online: 1
15/10/2019 -- 09:44:11 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33569 and 'request-body-inspect-window' set to 16983 after randomization.
15/10/2019 -- 09:44:11 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31953 and 'response-body-inspect-window' set to 15731 after randomization.
15/10/2019 -- 09:44:11 - <Config> - DNS request flood protection level: 500
15/10/2019 -- 09:44:11 - <Config> - DNS per flow memcap (state-memcap): 524288
15/10/2019 -- 09:44:11 - <Config> - DNS global memcap: 16777216
15/10/2019 -- 09:44:11 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
15/10/2019 -- 09:44:11 - <Config> - preallocated 1000 hosts of size 136
15/10/2019 -- 09:44:11 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
15/10/2019 -- 09:44:11 - <Config> - using magic-file /usr/share/file/magic
15/10/2019 -- 09:44:11 - <Config> - Core dump size is unlimited.
15/10/2019 -- 09:44:11 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
15/10/2019 -- 09:44:11 - <Config> - preallocated 1000 defrag trackers of size 168
15/10/2019 -- 09:44:11 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
15/10/2019 -- 09:44:11 - <Config> - stream "prealloc-sessions": 2048 (per thread)
15/10/2019 -- 09:44:11 - <Config> - stream "memcap": 33554432
15/10/2019 -- 09:44:11 - <Config> - stream "midstream" session pickups: disabled
15/10/2019 -- 09:44:11 - <Config> - stream "async-oneside": disabled
15/10/2019 -- 09:44:11 - <Config> - stream "checksum-validation": disabled
15/10/2019 -- 09:44:11 - <Config> - stream."inline": disabled
15/10/2019 -- 09:44:11 - <Config> - stream "bypass": disabled
15/10/2019 -- 09:44:11 - <Config> - stream "max-synack-queued": 5
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly "memcap": 134217728
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly "depth": 0
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly "toserver-chunk-size": 2634
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly "toclient-chunk-size": 2675
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly.raw: enabled
15/10/2019 -- 09:44:11 - <Config> - stream.reassembly "segment-prealloc": 2048
15/10/2019 -- 09:44:11 - <Config> - Delayed detect disabled
15/10/2019 -- 09:44:11 - <Config> - pattern matchers: MPM: ac, SPM: bm
15/10/2019 -- 09:44:11 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
15/10/2019 -- 09:44:11 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
15/10/2019 -- 09:44:11 - <Config> - prefilter engines: MPM
15/10/2019 -- 09:44:11 - <Config> - IP reputation disabled
15/10/2019 -- 09:44:11 - <Perf> - Registered 148 keyword profiling counters.
15/10/2019 -- 09:44:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
15/10/2019 -- 09:44:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
15/10/2019 -- 09:44:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
15/10/2019 -- 09:44:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
15/10/2019 -- 09:44:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
15/10/2019 -- 09:44:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
15/10/2019 -- 09:44:17 - <Config> - No rules loaded from ET-icmp.rules.
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
15/10/2019 -- 09:44:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
15/10/2019 -- 09:44:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
15/10/2019 -- 09:44:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
15/10/2019 -- 09:44:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
15/10/2019 -- 09:44:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
15/10/2019 -- 09:44:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
15/10/2019 -- 09:44:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
15/10/2019 -- 09:44:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
15/10/2019 -- 09:44:24 - <Config> - No rules loaded from local.rules.
15/10/2019 -- 09:44:24 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
15/10/2019 -- 09:44:24 - <Info> - Threshold config parsed: 0 rule(s) found
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tcp-packet
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tcp-stream
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for udp-packet
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for other-ip
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_uri
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_request_line
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_client_body
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_response_line
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_header
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_header
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_header_names
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_header_names
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_accept
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_accept_enc
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_accept_lang
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_referer
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_connection
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_content_len
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_content_len
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_content_type
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_content_type
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_protocol
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_protocol
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_start
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_start
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_raw_header
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_raw_header
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_method
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_cookie
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_cookie
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_raw_uri
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_user_agent
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_host
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_raw_host
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_stat_msg
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_stat_code
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for dns_query
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tls_sni
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tls_cert_issuer
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tls_cert_subject
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for tls_cert_serial
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for dce_stub_data
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for dce_stub_data
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for ssh_protocol
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for ssh_protocol
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for ssh_software
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for ssh_software
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for file_data
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for file_data
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_request_line
15/10/2019 -- 09:44:25 - <Perf> - using shared mpm ctx' for http_response_line
15/10/2019 -- 09:44:25 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
15/10/2019 -- 09:44:25 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
15/10/2019 -- 09:44:25 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
15/10/2019 -- 09:44:25 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
15/10/2019 -- 09:44:25 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
15/10/2019 -- 09:44:25 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
15/10/2019 -- 09:44:25 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
15/10/2019 -- 09:44:25 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
15/10/2019 -- 09:44:32 - <Perf> - Unique rule groups: 104
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toserver TCP packet": 35
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toclient TCP packet": 17
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toserver TCP stream": 33
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toclient TCP stream": 19
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toserver UDP packet": 27
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "toclient UDP packet": 17
15/10/2019 -- 09:44:32 - <Perf> - Builtin MPM "other IP packet": 3
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_uri": 14
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_request_line": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_client_body": 6
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_response_line": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_header": 10
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_header": 6
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_header_names": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_accept": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_referer": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_content_len": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_content_type": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_content_type": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_protocol": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_start": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_method": 5
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_cookie": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_cookie": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver http_host": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver dns_query": 4
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver tls_sni": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toserver file_data": 1
15/10/2019 -- 09:44:32 - <Perf> - AppLayer MPM "toclient file_data": 7
15/10/2019 -- 09:44:34 - <Perf> - Registered 39590 rule profiling counters.
15/10/2019 -- 09:44:34 - <Info> - fast output device (regular) initialized: alert
15/10/2019 -- 09:44:34 - <Info> - eve-log output device (regular) initialized: eve.json
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'alert'
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'http'
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'dns'
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'tls'
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'files'
15/10/2019 -- 09:44:34 - <Config> - enabling 'eve-log' module 'ssh'
15/10/2019 -- 09:44:34 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
15/10/2019 -- 09:44:34 - <Info> - stats output device (regular) initialized: stats.log
15/10/2019 -- 09:44:34 - <Config> - Aut
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | --------------------------------------------------------------------------------------------------------------------------------
Date: 10/15/2019 -- 09:44:35
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flags 19874 3 3 10872 6624.00 6624.00 0.00
flow 36428 3 3 27342 12142.00 12142.00 0.00
threshold 41166 3 0 31288 13722.00 0.00 13722.00
content 168039938 28994 14317 10418468 5795.00 5583.00 6002.00
pcre 27112816 4793 1481 783112 5656.00 5197.00 5862.00
byte_test 11739834 2270 228 47538 5171.00 5364.00 5150.00
byte_jump 3891168 731 684 37356 5323.00 5275.00 6018.00
isdataat 279776 53 0 28936 5278.00 0.00 5278.00
byte_extract 10972292 2101 2101 76686 5222.00 5222.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flags 19874 3 3 10872 6624.00 6624.00 0.00
flow 36428 3 3 27342 12142.00 12142.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 168039938 28994 14317 10418468 5795.00 5583.00 6002.00
pcre 27112816 4793 1481 783112 5656.00 5197.00 5862.00
byte_test 11739834 2270 228 47538 5171.00 5364.00 5150.00
byte_jump 3891168 731 684 37356 5323.00 5275.00 6018.00
isdataat 279776 53 0 28936 5278.00 0.00 5278.00
byte_extract 10972292 2101 2101 76686 5222.00 5222.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: threshold
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
threshold 41166 3 0 31288 13722.00 0.00 13722.00
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 10/15/2019 -- 09:44:35. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2019833 1 7 58634010 9.83 368 0 10665032 159331.55 0.00 159331.55
2 2018005 1 6 32444474 5.44 368 0 894612 88164.33 0.00 88164.33
3 2811447 1 2 1248068 0.21 16 0 487500 78004.25 0.00 78004.25
4 2014635 1 1 41806294 7.01 682 0 392448 61299.55 0.00 61299.55
5 2023476 1 5 48679876 8.16 368 0 391614 132282.27 0.00 132282.27
6 2022543 1 1 1809142 0.30 53 0 365476 34134.75 0.00 34134.75
7 2102190 1 5 4429494 0.74 802 0 360066 5523.06 0.00 5523.06
8 2021946 1 2 48635192 8.16 368 0 288018 132160.85 0.00 132160.85
9 2021749 1 6 1568748 0.26 7 0 267192 224106.86 0.00 224106.86
10 2022627 1 12 26278912 4.41 368 0 250700 71410.09 0.00 71410.09
11 2019832 1 4 43756580 7.34 368 0 229510 118903.75 0.00 118903.75
12 2822213 1 2 33856634 5.68 368 0 204114 92001.72 0.00 92001.72
13 2814978 1 2 29943484 5.02 368 0 182624 81368.16 0.00 81368.16
14 2023624 1 3 764446 0.13 122 0 182120 6265.95 0.00 6265.95
15 2814979 1 2 29564452 4.96 368 0 172926 80338.18 0.00 80338.18
16 2022535 1 11 26616512 4.46 368 0 164364 72327.48 0.00 72327.48
17 2014634 1 1 35461608 5.95 682 0 124172 51996.49 0.00 51996.49
18 2018457 1 1 20015162 3.36 368 0 118812 54389.03 0.00 54389.03
19 2824636 1 2 9099804 1.53 368 0 117310 24727.73 0.00 24727.73
20 2008118 1 3 533566 0.09 89 0 101572 5995.12 0.00 5995.12
21 2809850 1 2 395802 0.07 9 0 98032 43978.00 0.00 43978.00
22 2022547 1 1 4295326 0.72 845 0 74936 5083.23 0.00 5083.23
23 2018637 1 2 72668 0.01 1 0 72668 72668.00 0.00 72668.00
24 2102523 1 8 2010156 0.34 370 0 72272 5432.85 0.00 5432.85
25 2018077 1 5 71102 0.01 1 0 71102 71102.00 0.00 71102.00
26 2014701 1 12 2205842 0.37 106 0 69828 20809.83 0.00 20809.83
27 2020661 1 3 278156 0.05 21 0 65048 13245.52 0.00 13245.52
28 2803760 1 3 1579814 0.26 53 0 65046 29807.81 0.00 29807.81
29 2808577 1 5 7725484 1.30 1572 0 64322 4914.43 0.00 4914.43
30 2826281 1 2 1511892 0.25 53 0 62404 28526.26 0.00 28526.26
31 2017877 1 3 61084 0.01 1 0 61084 61084.00 0.00 61084.00
32 2009702 1 5 2199546 0.37 106 0 55954 20750.43 0.00 20750.43
33 2022480 1 2 106038 0.02 2 0 54732 53019.00 0.00 53019.00
34 2001569 1 15 100572 0.02 3 3 54464 33524.00 33524.00 0.00
35 2806561 1 5 2011982 0.34 369 0 54156 5452.53 0.00 5452.53
36 2010140 1 7 636150 0.11 82 0 53444 7757.93 0.00 7757.93
37 2017548 1 6 72212 0.01 5 0 50630 14442.40 0.00 14442.40
38 2018013 1 3 50372 0.01 1 0 50372 50372.00 0.00 50372.00
39 2802876 1 3 1783460 0.30 341 0 48062 5230.09 0.00 5230.09
40 2016922 1 12 47818 0.01 1 0 47818 47818.00 0.00 47818.00
41 2828748 1 2 1767328 0.30 352 0 44890 5020.82 0.00 5020.82
42 2018153 1 4 44270 0.01 1 0 44270 44270.00 0.00 44270.00
43 2020607 1 3 43916 0.01 1 0 43916 43916.00 0.00 43916.00
44 2012139 1 8 1682282 0.28 341 0 43720 4933.38 0.00 4933.38
45 2020790 1 2 43482 0.01 1 0 43482 43482.00 0.00 43482.00
46 2018316 1 4 91594 0.02 3 0 42230 30531.33 0.00 30531.33
47 2018880 1 2 41742 0.01 1 0 41742 41742.00 0.00 41742.00
48 2023611 1 3 41240 0.01 1 0 41240 41240.00 0.00 41240.00
49 2014702 1 9 1660862 0.28 106 0 40458 15668.51 0.00 15668.51
50 2811544 1 1 401358 0.07 26 0 40444 15436.85 0.00 15436.85
51 2018666 1 4 88894 0.01 3 0 39670 29631.33 0.00 29631.33
52 2009387 1 4 2219138 0.37 398 0 38910 5575.72 0.00 5575.72
53 2020692 1 1 38458 0.01 1 0 38458 38458.00 0.00 38458.00
54 2001330 1 8 8216836 1.38 1660 0 38418 4949.90 0.00 4949.90
55 2018032 1 2 37652 0.01 1 0 37652 37652.00 0.00 37652.00
56 2100540 1 12 3501622 0.59 682 0 37504 5134.34 0.00 5134.34
57 2020786 1 4 37250 0.01 1 0 37250 37250.00 0.00 37250.00
58 2014703 1 9 1607324 0.27 106 0 36728 15163.43 0.00 15163.43
59 2809255 1 3 1735438 0.29 341 0 35598 5089.26 0.00 5089.26
60 2018075 1 3 35104 0.01 1 0 35104 35104.00 0.00 35104.00
61 2017876 1 3 35008 0.01 1 0 35008 35008.00 0.00 35008.00
62 2017934 1 4 34602 0.01 1 0 34602 34602.00 0.00 34602.00
63 2020606 1 4 34106 0.01 1 0 34106 34106.00 0.00 34106.00
64 2018639 1 2 34006 0.01 1 0 34006 34006.00 0.00 34006.00
65 2020800 1 2 33898 0.01 1 0 33898 33898.00 0.00 33898.00
66 2020766 1 2 60804 0.01 2 0 33094 30402.00 0.00 30402.00
67 2020787 1 2 32718 0.01 1 0 32718 32718.00 0.00 32718.00
68 2816515 1 3 58234 0.01 2 0 32700 29117.00 0.00 29117.00
69 2021065 1 2 32652 0.01 1 0 32652 32652.00 0.00 32652.00
70 2024777 1 2 3885804 0.65 785 0 32480 4950.07 0.00 4950.07
71 2828876 1 1 4179706 0.70 830 0 32232 5035.79 0.00 5035.79
72 2018375 1 3 215154 0.04 9 0 31864 23906.00 0.00 23906.00
73 2823788 1 4 329158 0.06 53 0 31428 6210.53 0.00 6210.53
74 2020781 1 5 30810 0.01 1 0 30810 30810.00 0.00 30810.00
75 2020797 1 2 30738 0.01 1 0 30738 30738.00 0.00 30738.00
76 2020779 1 3 30558 0.01 1 0 30558 30558.00 0.00 30558.00
77 2018193 1 3 30448 0.01 1 0 30448 30448.00 0.00 30448.00
78 2019083 1 2 30312 0.01 1 0 30312 30312.00 0.00 30312.00
79 2020788 1 2 30044 0.01 1 0 30044 30044.00 0.00 30044.00
80 2020791 1 3 30010 0.01 1 0 30010 30010.00 0.00 30010.00
81 2021716 1 1 29908 0.01 1 0 29908 29908.00 0.00 29908.00
82 2020693 1 1 59116 0.01 2 0 29684 29558.00 0.00 29558.00
83 2020612 1 3 56742 0.01 2 0 29494 28371.00 0.00 28371.00
84 2018181 1 3 29476 0.00 1 0 29476 29476.00 0.00 29476.00
85 2103158 1 6 3837194 0.64 743 0 29018 5164.46 0.00 5164.46
86 2015986 1 5 3765774 0.63 763 0 29018 4935.48 0.00 4935.48
87 2828877 1 1 1703968 0.29 352 0 28956 4840.82 0.00 4840.82
88 2023612 1 4 121866 0.02 20 0 28908 6093.30 0.00 6093.30
89 2017916 1 2 28886 0.00 1 0 28886 28886.00 0.00 28886.00
90 2100540 1 12 3345640 0.56 682 0 28586 4905.63 0.00 4905.63
91 2019230 1 2 388024 0.07 26 0 27842 14924.00 0.00 14924.00
92 2020799 1 2 27120 0.00 1 0 27120 27120.00 0.00 27120.00
93 2023622 1 3 569668 0.10 108 0 27066 5274.70 0.00 5274.70
94 2020798 1 2 26992 0.00 1 0 26992 26992.00 0.00 26992.00
95 2018789 1 3 2051340 0.34 368 0 26876 5574.29 0.00 5574.29
96 2017988 1 6 26730 0.00 1 0 26730 26730.00 0.00 26730.00
97 2008120 1 4 700302 0.12 132 0 26674 5305.32 0.00 5305.32
98 2020796 1 2 26664 0.00 1 0 26664 26664.00 0.00 26664.00
99 2810487 1 1 95772 0.02 4 0 26650 23943.00 0.00 23943.00
100 2020742 1 1 75226 0.01 3 0 26474 25075.33 0.00 25075.33
101 2020767 1 2 26298 0.00 1 0 26298 26298.00 0.00 26298.00
102 2022401 1 3 26090 0.00 1 0 26090 26090.00 0.00 26090.00
103 2814679 1 4 96316 0.02 5 0 26056 19263.20 0.00 19263.20
104 2008116 1 4 330938 0.06 49 0 25878 6753.84 0.00 6753.84
105 2018292 1 1 1012620 0.17 203 0 25732 4988.28 0.00 4988.28
106 2018558 1 5 1842778 0.31 368 0 25582 5007.55 0.00 5007.55
107 2010143 1 3 484896 0.08 82 0 25568 5913.37 0.00 5913.37
108 2018069 1 1 25506 0.00 1 0 25506 25506.00 0.00 25506.00
109 2103159 1 4 1897934 0.32 371 0 25456 5115.73 0.00 5115.73
110 2811577 1 2 372714 0.06 26 0 25236 14335.15 0.00 14335.15
111 2020741 1 1 73594 0.01 3 0 24844 24531.33 0.00 24531.33
112 2023626 1 3 576334 0.10 105 0 24720 5488.90 0.00 5488.90
113 2016178 1 2 43718 0.01 5 0 24386 8743.60 0.00 8743.60
114 2811542 1 1 280566 0.05 12 0 24262 23380.50 0.00 23380.50
115 2008117 1 3 171784 0.03 30 0 24126 5726.13 0.00 5726.13
116 2100327 1 10 365682 0.06 61 0 23384 5994.79 0.00 5994.79
117 2018487 1 4 23348 0.00 1 0 23348 23348.00 0.00 23348.00
118 2827278 1 1 40566 0.01 2 0 23216 20283.00 0.00 20283.00
119 2013739 1 15 158464 0.03 29 0 22412 5464.28 0.00 5464.28
120 2803226 1 2 944516 0.16 194 0 22376 4868.64 0.00 4868.64
121 2102523 1 8 1852786 0.31 373 0 21710 4967.25 0.00 4967.25
122 2010142 1 4 407940 0.07 82 0 21524 4974.88 0.00 4974.88
123 2809132 1 1 1778356 0.30 368 0 21412 4832.49 0.00 4832.49
124 2017935 1 3 2009524 0.34 414 0 21120 4853.92 0.00 4853.92
125 2024778 1 1
|
1 2 3 4 5 6 7 8 | 2019-10-15 09:44:11,081 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-10-15 09:44:11,810 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-10-15 09:44:11,810 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-10-15 09:44:11,811 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-10-15 09:44:11,811 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-10-15 09:44:11,811 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e0d6313642c187eacca4e1907246cee756b33745cb75ec8c950e11a498e082d2 -r /var/pcap/10152019.0944-0693e523-6228-43fa-af9b-758688062c11.pcap -vvv -k none
2019-10-15 09:44:36,164 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-10-15 09:44:36,165 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 25.0924079418
|