1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e201c2541aa4da91667a3e2b2905090d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182019.1613-cee653fd6765d9a9be007ee9808ceb48eb74ac82c5a8d4701d6c432b2d2f360b_network.pcap -vvv -k none
elapsedtime:25.618879
stderr:
stdout:
18/11/2019 -- 16:13:04 - <Info> - Configuration node 'rule-files' redefined.
18/11/2019 -- 16:13:04 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/11/2019 -- 16:13:04 - <Info> - CPUs/cores online: 1
18/11/2019 -- 16:13:04 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31655 and 'request-body-inspect-window' set to 16399 after randomization.
18/11/2019 -- 16:13:04 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32770 and 'response-body-inspect-window' set to 15569 after randomization.
18/11/2019 -- 16:13:04 - <Config> - DNS request flood protection level: 500
18/11/2019 -- 16:13:04 - <Config> - DNS per flow memcap (state-memcap): 524288
18/11/2019 -- 16:13:04 - <Config> - DNS global memcap: 16777216
18/11/2019 -- 16:13:04 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
18/11/2019 -- 16:13:04 - <Config> - preallocated 1000 hosts of size 136
18/11/2019 -- 16:13:04 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
18/11/2019 -- 16:13:04 - <Config> - using magic-file /usr/share/file/magic
18/11/2019 -- 16:13:04 - <Config> - Core dump size is unlimited.
18/11/2019 -- 16:13:04 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
18/11/2019 -- 16:13:04 - <Config> - preallocated 1000 defrag trackers of size 168
18/11/2019 -- 16:13:04 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
18/11/2019 -- 16:13:04 - <Config> - stream "prealloc-sessions": 2048 (per thread)
18/11/2019 -- 16:13:04 - <Config> - stream "memcap": 33554432
18/11/2019 -- 16:13:04 - <Config> - stream "midstream" session pickups: disabled
18/11/2019 -- 16:13:04 - <Config> - stream "async-oneside": disabled
18/11/2019 -- 16:13:04 - <Config> - stream "checksum-validation": disabled
18/11/2019 -- 16:13:04 - <Config> - stream."inline": disabled
18/11/2019 -- 16:13:04 - <Config> - stream "bypass": disabled
18/11/2019 -- 16:13:04 - <Config> - stream "max-synack-queued": 5
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly "memcap": 134217728
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly "depth": 0
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly "toserver-chunk-size": 2589
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly "toclient-chunk-size": 2659
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly.raw: enabled
18/11/2019 -- 16:13:04 - <Config> - stream.reassembly "segment-prealloc": 2048
18/11/2019 -- 16:13:04 - <Config> - Delayed detect disabled
18/11/2019 -- 16:13:04 - <Config> - pattern matchers: MPM: ac, SPM: bm
18/11/2019 -- 16:13:04 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
18/11/2019 -- 16:13:04 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
18/11/2019 -- 16:13:04 - <Config> - prefilter engines: MPM
18/11/2019 -- 16:13:04 - <Config> - IP reputation disabled
18/11/2019 -- 16:13:04 - <Perf> - Registered 148 keyword profiling counters.
18/11/2019 -- 16:13:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
18/11/2019 -- 16:13:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
18/11/2019 -- 16:13:04 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
18/11/2019 -- 16:13:10 - <Config> - No rules loaded from ET-icmp.rules.
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
18/11/2019 -- 16:13:10 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
18/11/2019 -- 16:13:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
18/11/2019 -- 16:13:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
18/11/2019 -- 16:13:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
18/11/2019 -- 16:13:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
18/11/2019 -- 16:13:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
18/11/2019 -- 16:13:14 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
18/11/2019 -- 16:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
18/11/2019 -- 16:13:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
18/11/2019 -- 16:13:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
18/11/2019 -- 16:13:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
18/11/2019 -- 16:13:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
18/11/2019 -- 16:13:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
18/11/2019 -- 16:13:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
18/11/2019 -- 16:13:18 - <Config> - No rules loaded from local.rules.
18/11/2019 -- 16:13:18 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
18/11/2019 -- 16:13:18 - <Info> - Threshold config parsed: 0 rule(s) found
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tcp-packet
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tcp-stream
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for udp-packet
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for other-ip
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_uri
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_client_body
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_header
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_header
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_header_names
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_accept
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_accept_enc
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_accept_lang
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_referer
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_connection
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_content_len
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_content_type
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_protocol
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_start
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_start
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_raw_header
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_method
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_cookie
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_raw_uri
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_user_agent
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_host
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_raw_host
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_stat_msg
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_stat_code
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for dns_query
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tls_sni
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tls_cert_issuer
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tls_cert_subject
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for tls_cert_serial
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for dce_stub_data
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for ssh_protocol
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for ssh_software
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for file_data
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for file_data
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_request_line
18/11/2019 -- 16:13:19 - <Perf> - using shared mpm ctx' for http_response_line
18/11/2019 -- 16:13:19 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
18/11/2019 -- 16:13:19 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
18/11/2019 -- 16:13:19 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
18/11/2019 -- 16:13:19 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
18/11/2019 -- 16:13:19 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
18/11/2019 -- 16:13:19 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
18/11/2019 -- 16:13:19 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
18/11/2019 -- 16:13:19 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
18/11/2019 -- 16:13:26 - <Perf> - Unique rule groups: 104
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toserver TCP packet": 35
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toclient TCP packet": 17
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toserver TCP stream": 33
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toclient TCP stream": 19
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toserver UDP packet": 27
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "toclient UDP packet": 17
18/11/2019 -- 16:13:26 - <Perf> - Builtin MPM "other IP packet": 3
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_uri": 14
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_request_line": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_client_body": 6
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_response_line": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_header": 10
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_header": 6
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_header_names": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_accept": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_referer": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_content_len": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_content_type": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_content_type": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_protocol": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_start": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_method": 5
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_cookie": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_cookie": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver http_host": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver dns_query": 4
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver tls_sni": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toserver file_data": 1
18/11/2019 -- 16:13:26 - <Perf> - AppLayer MPM "toclient file_data": 7
18/11/2019 -- 16:13:28 - <Perf> - Registered 39590 rule profiling counters.
18/11/2019 -- 16:13:28 - <Info> - fast output device (regular) initialized: alert
18/11/2019 -- 16:13:28 - <Info> - eve-log output device (regular) initialized: eve.json
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'alert'
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'http'
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'dns'
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'tls'
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'files'
18/11/2019 -- 16:13:28 - <Config> - enabling 'eve-log' module 'ssh'
18/11/2019 -- 16:13:28 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/11/2019 -- 16:13:28 - <Info> - stats output device (regular) initialized: stats.log
18/
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 11/18/2019 -- 16:13:30. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2025191 1 1 17283088 23.16 412 0 10768652 41949.24 0.00 41949.24
2 2025189 1 1 6623016 8.87 412 0 433966 16075.28 0.00 16075.28
3 2025194 1 1 6447934 8.64 412 0 433410 15650.33 0.00 15650.33
4 2829561 1 1 6336496 8.49 412 0 432090 15379.84 0.00 15379.84
5 2021749 1 6 346172 0.46 1 0 346172 346172.00 0.00 346172.00
6 2814978 1 2 145976 0.20 1 0 145976 145976.00 0.00 145976.00
7 2814979 1 2 136024 0.18 1 0 136024 136024.00 0.00 136024.00
8 2816940 1 2 235634 0.32 2 0 130848 117817.00 0.00 117817.00
9 2025064 1 5 187114 0.25 2 0 124566 93557.00 0.00 93557.00
10 2025330 1 1 121902 0.16 1 0 121902 121902.00 0.00 121902.00
11 2021068 1 2 116688 0.16 1 1 116688 116688.00 116688.00 0.00
12 2816929 1 4 199080 0.27 2 0 116218 99540.00 0.00 99540.00
13 2018005 1 6 113982 0.15 1 0 113982 113982.00 0.00 113982.00
14 2825567 1 3 113664 0.15 1 0 113664 113664.00 0.00 113664.00
15 2809850 1 2 152640 0.20 2 0 112240 76320.00 0.00 76320.00
16 2816327 1 4 197250 0.26 2 0 110094 98625.00 0.00 98625.00
17 2816910 1 2 206978 0.28 2 0 108072 103489.00 0.00 103489.00
18 2816909 1 2 199986 0.27 2 0 107436 99993.00 0.00 99993.00
19 2018358 1 7 168998 0.23 2 0 98014 84499.00 0.00 84499.00
20 2827202 1 3 92914 0.12 1 0 92914 92914.00 0.00 92914.00
21 2024720 1 3 92388 0.12 1 0 92388 92388.00 0.00 92388.00
22 2825453 1 2 91372 0.12 1 0 91372 91372.00 0.00 91372.00
23 2829214 1 2 91302 0.12 1 0 91302 91302.00 0.00 91302.00
24 2011894 1 19 164132 0.22 2 0 86900 82066.00 0.00 82066.00
25 2822213 1 2 85030 0.11 1 0 85030 85030.00 0.00 85030.00
26 2018452 1 15 141474 0.19 2 0 84918 70737.00 0.00 70737.00
27 2819673 1 4 130642 0.18 2 0 83702 65321.00 0.00 65321.00
28 2820851 1 5 162060 0.22 2 0 83572 81030.00 0.00 81030.00
29 2014701 1 12 139090 0.19 4 0 82046 34772.50 0.00 34772.50
30 2816927 1 3 126468 0.17 2 0 81152 63234.00 0.00 63234.00
31 2816922 1 5 123466 0.17 2 0 76502 61733.00 0.00 61733.00
32 2024767 1 2 135356 0.18 2 0 74036 67678.00 0.00 67678.00
33 2829848 1 2 124932 0.17 2 0 73400 62466.00 0.00 62466.00
34 2828008 1 2 107914 0.14 2 0 72964 53957.00 0.00 53957.00
35 2828122 1 2 130140 0.17 2 0 72726 65070.00 0.00 65070.00
36 2815817 1 5 120284 0.16 2 0 71998 60142.00 0.00 60142.00
37 2816928 1 3 125588 0.17 2 0 71648 62794.00 0.00 62794.00
38 2022262 1 3 126572 0.17 2 0 71120 63286.00 0.00 63286.00
39 2017613 1 9 121958 0.16 2 0 69646 60979.00 0.00 60979.00
40 2024227 1 3 6233278 8.35 412 0 68552 15129.32 0.00 15129.32
41 2814883 1 3 101568 0.14 2 0 67130 50784.00 0.00 50784.00
42 2828060 1 4 125910 0.17 2 0 66918 62955.00 0.00 62955.00
43 2816525 1 10 121376 0.16 2 0 66776 60688.00 0.00 60688.00
44 2022207 1 4 119748 0.16 2 0 66604 59874.00 0.00 59874.00
45 2812916 1 6 121796 0.16 2 0 65622 60898.00 0.00 60898.00
46 2019344 1 5 112208 0.15 2 0 65162 56104.00 0.00 56104.00
47 2019881 1 3 109062 0.15 2 0 63224 54531.00 0.00 54531.00
48 2828986 1 2 120282 0.16 2 0 62482 60141.00 0.00 60141.00
49 2023875 1 2 121500 0.16 2 0 61902 60750.00 0.00 60750.00
50 2820031 1 2 107474 0.14 2 0 60774 53737.00 0.00 53737.00
51 2816328 1 5 113904 0.15 2 0 60632 56952.00 0.00 56952.00
52 2821561 1 2 116872 0.16 2 0 59064 58436.00 0.00 58436.00
53 2022339 1 2 116172 0.16 2 0 58344 58086.00 0.00 58086.00
54 2025192 1 1 6107768 8.18 412 0 57662 14824.68 0.00 14824.68
55 2021070 1 2 57646 0.08 1 0 57646 57646.00 0.00 57646.00
56 2816526 1 13 112716 0.15 2 0 57202 56358.00 0.00 56358.00
57 2003492 1 30 107996 0.14 2 0 56682 53998.00 0.00 53998.00
58 2816925 1 3 97706 0.13 2 0 53338 48853.00 0.00 48853.00
59 2819993 1 2 87272 0.12 2 0 52030 43636.00 0.00 43636.00
60 2018010 1 5 86896 0.12 2 0 51746 43448.00 0.00 43448.00
61 2018983 1 7 94992 0.13 2 0 51236 47496.00 0.00 47496.00
62 2020380 1 3 86676 0.12 2 0 50926 43338.00 0.00 43338.00
63 2815886 1 2 50662 0.07 1 0 50662 50662.00 0.00 50662.00
64 2025190 1 1 6101848 8.18 412 0 50484 14810.31 0.00 14810.31
65 2816930 1 4 94142 0.13 2 0 50126 47071.00 0.00 47071.00
66 2017259 1 12 95950 0.13 2 0 48758 47975.00 0.00 47975.00
67 2810991 1 4 94742 0.13 2 0 48154 47371.00 0.00 47371.00
68 2022200 1 2 47818 0.06 1 0 47818 47818.00 0.00 47818.00
69 2016858 1 10 93822 0.13 2 0 47514 46911.00 0.00 46911.00
70 2018496 1 9 92468 0.12 2 0 47378 46234.00 0.00 46234.00
71 2023670 1 3 93240 0.12 2 0 47360 46620.00 0.00 46620.00
72 2022198 1 2 47312 0.06 1 0 47312 47312.00 0.00 47312.00
73 2022503 1 2 92346 0.12 2 0 46896 46173.00 0.00 46173.00
74 2821615 1 2 93578 0.13 2 0 46824 46789.00 0.00 46789.00
75 2806132 1 3 92086 0.12 2 0 46762 46043.00 0.00 46043.00
76 2803760 1 3 73868 0.10 2 0 46668 36934.00 0.00 36934.00
77 2024771 1 1 51582 0.07 2 0 46644 25791.00 0.00 25791.00
78 2018958 1 18 91672 0.12 2 0 46632 45836.00 0.00 45836.00
79 2021038 1 4 92696 0.12 2 0 46626 46348.00 0.00 46348.00
80 2824801 1 3 46596 0.06 1 0 46596 46596.00 0.00 46596.00
81 2018981 1 4 91980 0.12 2 0 46416 45990.00 0.00 45990.00
82 2827580 1 7 82108 0.11 2 0 46414 41054.00 0.00 41054.00
83 2819785 1 2 91906 0.12 2 0 46364 45953.00 0.00 45953.00
84 2816165 1 5 91070 0.12 2 0 46232 45535.00 0.00 45535.00
85 2018242 1 5 90806 0.12 2 0 46098 45403.00 0.00 45403.00
86 2019693 1 5 91128 0.12 2 0 45828 45564.00 0.00 45564.00
87 2816924 1 4 89282 0.12 2 0 44892 44641.00 0.00 44641.00
88 2014380 1 4 90962 0.12 4 0 44824 22740.50 0.00 22740.50
89 2824408 1 2 80760 0.11 2 0 44682 40380.00 0.00 40380.00
90 2816931 1 3 88894 0.12 2 0 44650 44447.00 0.00 44447.00
91 2003657 1 18 78856 0.11 2 0 44084 39428.00 0.00 39428.00
92 2023315 1 2 79398 0.11 2 0 43732 39699.00 0.00 39699.00
93 2025193 1 1 6059294 8.12 412 0 43264 14707.02 0.00 14707.02
94 2809547 1 5 77084 0.10 2 0 43098 38542.00 0.00 38542.00
95 2022543 1 1 70812 0.09 2 0 42906 35406.00 0.00 35406.00
96 2017552 1 6 180190 0.24 6 0 42082 30031.67 0.00 30031.67
97 2815201 1 2 78886 0.11 2 0 41978 39443.00 0.00 39443.00
98 2824799 1 3 41784 0.06 1 0 41784 41784.00 0.00 41784.00
99 2825063 1 2 77752 0.10 2 0 41710 38876.00 0.00 38876.00
100 2016537 1 2 111452 0.15 4 0 41114 27863.00 0.00 27863.00
101 2012612 1 16 76452 0.10 2 0 40846 38226.00 0.00 38226.00
102 2809682 1 5 74926 0.10 2 0 40006 37463.00 0.00 37463.00
103 2022220 1 2 74506 0.10 2 0 39288 37253.00 0.00 37253.00
104 2816669 1 4 75410 0.10 2 0 38476 37705.00 0.00 37705.00
105 2022049 1 3 74968 0.10 2 0 37860 37484.00 0.00 37484.00
106 2826256 1 2 71976 0.10 2 0 37194 35988.00 0.00 35988.00
107 2825969 1 2 36912 0.05 1 0 36912 36912.00 0.00 36912.00
108 2014703 1 9 70908 0.10 4 0 36762 17727.00 0.00 17727.00
109 2827279 1 5 72014 0.10 2 0 36640 36007.00 0.00 36007.00
110 2012707 1 5 36324 0.05 1 0 36324 36324.00 0.00 36324.00
111 2024178 1 2 71840 0.10 2 0 35986 35920.00 0.00 35920.00
112 2804626 1 9 70270 0.09 2 0 35866 35135.00 0.00 35135.00
113 2020388 1 8 41440 0.06 2 0 35688 20720.00 0.00 20720.00
114 2827575 1 2 70290 0.09 2 0 35560 35145.00 0.00 35145.00
115 2815324 1 2 70586 0.09 2 0 35364 35293.00 0.00 35293.00
116 2016223 1 10 69380 0.09 2 0 35222 34690.00 0.00 34690.00
117 2816055 1 2 68700 0.09 2 0 34800 34350.00 0.00 34350.00
118 2020705 1 4 68744 0.09 2 0 34792 34372.00 0.00 34372.00
119 2805260 1 4 68734 0.09 2 0 34494 34367.00 0.00 34367.00
120 2826281 1 2 59776 0.08 2 0 33114 29888.00 0.00 29888.00
121 2102523 1 8 70792 0.09 9 0 31720 7865.78 0.00 7865.78
122 2802876 1 3 28526 0.04 1 0 28526 28526.00 0.00 28526.00
123 2019230 1 2 62768 0.08 4 0 28312 15692.00 0.00 15692.00
124 2014702 1 9 62216 0.08 4 0 27530 15554.00 0.00 15554.00
125 2024513 1 5
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 532 12682784 183139086 124267628 66.1b 99.33
IPv4 17 7 13145946 171434814 61382864 429.7m 0.65
IPv6 17 1 14227446 14227446 14227446 14.2m 0.02
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 532 115676 11075308 387071 205.9m 81.48
TMM_FLOWWORKER IPv4 17 7 278774 8785626 1774262 12.4m 4.91
TMM_RECEIVEPCAPFILE IPv4 6 531 4440 28484170 58719 31.2m 12.34
TMM_RECEIVEPCAPFILE IPv4 17 7 4462 11690 5989 41.9k 0.02
TMM_DECODEPCAPFILE IPv4 6 531 4562 32882 4876 2.6m 1.02
TMM_DECODEPCAPFILE IPv4 17 7 4676 40492 10488 73.4k 0.03
TMM_FLOWWORKER IPv6 17 1 488978 488978 488978 489.0k 0.19
TMM_RECEIVEPCAPFILE IPv6 17 1 4492 4492 4492 4.5k 0.00
TMM_DECODEPCAPFILE IPv6 17 1 20330 20330 20330 20.3k 0.01
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 531 4762 24058 5607 3.0m 1.59
flow IPv4 17 7 5046 52308 14826 103.8k 0.06
stream IPv4 6 532 4540 1028740 12286 6.5m 3.48
app-layer IPv4 17 7 4496 59678 29354 205.5k 0.11
detect IPv4 6 532 77856 11026880 321069 170.8m 90.92
detect IPv4 17 7 241846 864220 559544 3.9m 2.08
tcp-prune IPv4 6 532 4420 77710 5343 2.8m 1.51
flow IPv6 17 1 22482 22482 22482 22.5k 0.01
app-layer IPv6 17 1 14624 14624 14624 14.6k 0.01
detect IPv6 17 1 433142 433142 433142 433.1k 0.23
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 2 12528 101892 57210 114.4k 63.27
tls IPv4 6 2 4862 8678 6770 13.5k 7.49
dns IPv4 17 4 8604 23948 13217 52.9k 29.24
Proto detect IPv4 17 5 15416 41484 23117 115.6k
Proto detect IPv6 17 1 5296 5296 5296 5.3k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 4 44368 7813602 2000812 8.0m 90.90
LOGGER_JSON_HTTP IPv4 6 2 119262 226536 172899 345.8k 3.93
LOGGER_JSON_TLS IPv4 6 1 60880 60880 60880 60.9k 0.69
LOGGER_JSON_FILE IPv4 6 4 72624 126748 98597 394.4k 4.48
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 18 4838 274576 60631 1.1m 27.05
payload IPv4 17 7 8596 62976 38354 268.5k 6.66
stream IPv4 6 18 4464 425708 72070 1.3m 32.16
http_uri IPv4 6 2 13850 17980 15915 31.8k 0.79
http_request_line IPv4 6 2 8744 20580 14662 29.3k 0.73
http_client_body IPv4 6 2 116134 139740 127937 255.9k 6.34
http_header (request) IPv4 6 2 183622 206960 195291 390.6k 9.68
http_header (request trailer) IPv4 6 2 4580 4722 4651 9.3k 0.23
http_header_names (request) IPv4 6 2 28132 29386 28759 57.5k 1.43
http_accept (request) IPv4 6 2 6098 6764 6431 12.9k 0.32
http_referer (request) IPv4 6 2 8464 8824 8644 17.3k 0.43
http_content_len (request) IPv4 6 2 7544 7872 7708 15.4k 0.38
http_content_type (request) IPv4 6 2 13066 14456 13761 27.5k 0.68
http_protocol (request) IPv4 6 2 7046 7944 7495 15.0k 0.37
http_start (request) IPv4 6 2 18726 19530 19128 38.3k 0.95
http_raw_header (request) IPv4 6 2 19922 20798 20360 40.7k 1.01
http_method IPv4 6 2 9042 9352 9197 18.4k 0.46
http_cookie (request) IPv4 6 2 5788 5864 5826 11.7k 0.29
http_raw_uri IPv4 6 2 7420 8126 7773 15.5k 0.39
http_user_agent IPv4 6 2 51572 59058 55315 110.6k 2.74
http_host IPv4 6 2 6932 7944 7438 14.9k 0.37
dns_query IPv4 17 2 14540 15274 14907 29.8k 0.74
tls_sni IPv4 6 1 14140 14140 14140 14.1k 0.35
http_response_line IPv4 6 2 6080 11066 8573 17.1k 0.43
http_header (response) IPv4 6 2 20898 42296 31597 63.2k 1.57
http_header (response trailer) IPv4 6 2 4474 4542 4508 9.0k 0.22
http_content_type (response) IPv4 6 2 6436 12068 9252 18.5k 0.46
http_raw_header (response) IPv4 6 2 10784 13020 11902 23.8k 0.59
http_cookie (response) IPv4 6 2 4774 4892 4833 9.7k 0.24
http_stat_code IPv4 6 2 6104 7158 6631 13.3k 0.33
tls_cert_issuer IPv4 6 1 17808 17808 17808 17.8k 0.44
tls_cert_subject IPv4 6 1 10422 10422 10422 10.4k 0.26
tls_cert_serial IPv4 6 1 8460 8460 8460 8.5k 0.21
Total IPv4 99 40453 4.0m
payload IPv6 17 1 29282 29282 29282 29.3k 0.73
Total IPv6 1 29282 29.3k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 14 18708 131086 76335 1.1m 0.64
PROF_DETECT_IPONLY IPv4 17 5 19658 261952 105055 525.3k 0.31
PROF_DETECT_RULES IPv4 6 532 4422 5361762 32488 17.3m 10.33
PROF_DETECT_RULES IPv4 17 7 130428 546814 288982 2.0m 1.21
PROF_DETECT_STATEFUL_START IPv4 6 9 8942 2704958 645399 5.8m 3.47
PROF_DETECT_STATEFUL_CONT IPv4 6 532 4422 10921224 173758 92.4m 55.23
PROF_DETECT_STATEFUL_CONT IPv4 17 7 4488 50126 14991 104.9k 0.06
PROF_DETECT_STATEFUL_UPDATE IPv4 6 507 4452 37104 5076 2.6m 1.54
PROF_DETECT_STATEFUL_UPDATE IPv4 17 4 4736 6596 5365 21.5k 0.01
PROF_DETECT_PREFILTER IPv4 6 532 13668 5325442 43613 23.2m 13.86
PROF_DETECT_PREFILTER IPv4 17 7 49462 137688 94496 661.5k 0.40
PROF_DETECT_PF_PAYLOAD IPv4 6 18 27296 450186 146568 2.6m 1.58
PROF_DETECT_PF_PAYLOAD IPv4 17 7 17754 72764 50661 354.6k 0.21
PROF_DETECT_PF_TX IPv4 6 507 4554 659528 8231 4.2m 2.49
PROF_DETECT_PF_TX IPv4 17 2 24414 29236 26825 53.7k 0.03
PROF_DETECT_PF_SORT1 IPv4 6 18 4512 20692 7795 140.3k 0.08
PROF_DETECT_PF_SORT1 IPv4 17 7 5286 8194 6434 45.0k 0.03
PROF_DETECT_PF_SORT2 IPv4 6 532 4406 28352 4915 2.6m 1.56
PROF_DETECT_PF_SORT2 IPv4 17 7 4538 8832 6302 44.1k 0.03
PROF_DETECT_NONMPMLIST IPv4 6 532 4420 25258 5098 2.7m 1.62
PROF_DETECT_NONMPMLIST IPv4 17 7 4518 5974 5137 36.0k 0.02
PROF_DETECT_ALERT IPv4 6 532 4420 22124 4809 2.6m 1.53
PROF_DETECT_ALERT IPv4 17 7 4436 19508 6927 48.5k 0.03
PROF_DETECT_CLEANUP IPv4 6 532 4472 41130 5144 2.7m 1.64
PROF_DETECT_CLEANUP IPv4 17 7 4436 21454 8160 57.1k 0.03
PROF_DETECT_GETSGH IPv4 6 532 4412 63180 5506 2.9m 1.75
PROF_DETECT_GETSGH IPv4 17 7 4706 14736 9288 65.0k 0.04
PROF_DETECT_IPONLY IPv6 17 1 27680 27680 27680 27.7k 0.02
PROF_DETECT_RULES IPv6 17 1 219798 219798 219798 219.8k 0.13
PROF_DETECT_STATEFUL_CONT IPv6 17 1 4420 4420 4420 4.4k 0.00
PROF_DETECT_PREFILTER IPv6 17 1 68246 68246 68246 68.2k 0.04
PROF_DETECT_PF_PAYLOAD IPv6 17 1 38452 38452 38452 38.5k 0.02
PROF_DETECT_PF_SORT1 IPv6 17 1 6126 6126 6126 6.1k 0.00
PROF_DETECT_PF_SORT2 IPv6 17 1 5484 5484 5484 5.5k 0.00
PROF_DETECT_NONMPMLIST IPv6 17 1 5318 5318 5318 5.3k 0.00
PROF_DETECT_ALERT IPv6 17 1 4466 4466 4466 4.5k 0.00
PROF_DETECT_CLEANUP IPv6 17 1 4990 4990 4990 5.0k 0.00
PROF_DETECT_GETSGH IPv6 17 1 53266 53266 53266 53.3k 0.03
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | ------------------------------------------------------------------------------------
Date: 11/18/2019 -- 16:13:30 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 546
decoder.bytes | Total | 632748
decoder.ipv4 | Total | 538
decoder.ipv6 | Total | 1
decoder.ethernet | Total | 546
decoder.tcp | Total | 531
decoder.udp | Total | 8
decoder.avg_pkt_size | Total | 1158
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 10
flow.udp | Total | 4
tcp.sessions | Total | 5
tcp.syn | Total | 9
tcp.synack | Total | 3
tcp.rst | Total | 6
detect.nonmpm_list | Total | 2
app_layer.flow.http | Total | 2
app_layer.tx.http | Total | 2
app_layer.flow.tls | Total | 1
app_layer.flow.dns_udp | Total | 2
app_layer.tx.dns_udp | Total | 2
app_layer.flow.failed_udp | Total | 2
flow_mgr.new_pruned | Total | 9
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 13
flow_mgr.flows_notimeout | Total | 3
flow_mgr.flows_timeout | Total | 10
flow_mgr.flows_timeout_inuse | Total | 1
flow_mgr.flows_removed | Total | 9
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65523
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7078336
|
1 2 3 4 5 6 7 8 9 10 11 | {"timestamp":"2019-10-26T11:09:41.132355+0000","flow_id":1656477239805187,"pcap_cnt":5,"event_type":"dns","src_ip":"192.168.240.60","src_port":52761,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48894,"rrname":"www.serdarkarakas.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-10-26T11:09:41.146879+0000","flow_id":1656477239805187,"pcap_cnt":6,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.60","dest_port":52761,"proto":"UDP","dns":{"type":"answer","id":48894,"rcode":"NOERROR","rrname":"www.serdarkarakas.com","rrtype":"A","ttl":299,"rdata":"18.196.217.123"}}
{"timestamp":"2019-10-26T11:09:41.503126+0000","flow_id":1206353929767713,"pcap_cnt":15,"event_type":"tls","src_ip":"192.168.240.60","src_port":49549,"dest_ip":"18.196.217.123","dest_port":443,"proto":"TCP","tls":{"subject":"CN=www.serdarkarakas.com","issuerdn":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"}}
{"timestamp":"2019-10-26T11:11:06.925237+0000","flow_id":1232102264312311,"pcap_cnt":518,"event_type":"http","src_ip":"192.168.240.60","src_port":49550,"dest_ip":"201.106.32.171","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"201.106.32.171","url":"\/forced\/tlb\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-10-26T11:11:06.925237+0000","flow_id":1232102264312311,"pcap_cnt":518,"event_type":"fileinfo","src_ip":"192.168.240.60","src_port":49550,"dest_ip":"201.106.32.171","dest_port":80,"proto":"TCP","http":{"hostname":"201.106.32.171","url":"\/forced\/tlb\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_refer":"http:\/\/201.106.32.171\/forced\/tlb\/","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":548},"app_proto":"http","fileinfo":{"filename":"\/forced\/tlb\/","gaps":false,"state":"CLOSED","stored":false,"size":468,"tx_id":0}}
{"timestamp":"2019-10-26T11:11:31.397102+0000","flow_id":205875665112878,"pcap_cnt":523,"event_type":"dns","src_ip":"192.168.240.60","src_port":53386,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30288,"rrname":"dns.msftncsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-10-26T11:11:31.398552+0000","flow_id":205875665112878,"pcap_cnt":524,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.60","dest_port":53386,"proto":"UDP","dns":{"type":"answer","id":30288,"rcode":"NOERROR","rrname":"dns.msftncsi.com","rrtype":"A","ttl":3,"rdata":"131.107.255.255"}}
{"timestamp":"2019-10-26T11:11:59.050265+0000","flow_id":2010835673039375,"pcap_cnt":536,"event_type":"http","src_ip":"192.168.240.60","src_port":49553,"dest_ip":"46.29.183.211","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"46.29.183.211","url":"\/cookies\/devices\/nsip\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-10-26T11:11:59.050265+0000","flow_id":2010835673039375,"pcap_cnt":536,"event_type":"fileinfo","src_ip":"192.168.240.60","src_port":49553,"dest_ip":"46.29.183.211","dest_port":8080,"proto":"TCP","http":{"hostname":"46.29.183.211","url":"\/cookies\/devices\/nsip\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_refer":"http:\/\/46.29.183.211\/cookies\/devices\/nsip\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/cookies\/devices\/nsip\/","gaps":false,"state":"CLOSED","stored":false,"size":459,"tx_id":0}}
{"timestamp":"2019-10-26T11:12:02.050314+0000","flow_id":2010835673039375,"pcap_cnt":537,"event_type":"fileinfo","src_ip":"46.29.183.211","src_port":8080,"dest_ip":"192.168.240.60","dest_port":49553,"proto":"TCP","http":{"hostname":"46.29.183.211","url":"\/cookies\/devices\/nsip\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_refer":"http:\/\/46.29.183.211\/cookies\/devices\/nsip\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/cookies\/devices\/nsip\/","gaps":false,"state":"CLOSED","stored":false,"size":132,"tx_id":0}}
{"timestamp":"2019-10-26T11:12:11.920025+0000","flow_id":1232102264312311,"pcap_cnt":539,"event_type":"fileinfo","src_ip":"201.106.32.171","src_port":80,"dest_ip":"192.168.240.60","dest_port":49550,"proto":"TCP","http":{"hostname":"201.106.32.171","url":"\/forced\/tlb\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_refer":"http:\/\/201.106.32.171\/forced\/tlb\/","http_method":"POST","protocol":"HTTP\/1.1","status":404,"length":548},"app_proto":"http","fileinfo":{"filename":"\/forced\/tlb\/","gaps":false,"state":"CLOSED","stored":false,"size":548,"tx_id":0}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | --------------------------------------------------------------------------------------------------------------------------------
Date: 11/18/2019 -- 16:13:30
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 1116702 196 196 34734 5697.00 5697.00 0.00
content 30532182 3694 210 10754928 8265.00 6854.00 8350.00
pcre 798142 47 14 78932 16981.00 22534.00 14626.00
byte_test 139924 20 8 26174 6996.00 8406.00 6056.00
isdataat 27248 2 0 22460 13624.00 0.00 13624.00
flowbits 66042 9 1 26754 7338.00 26754.00 4911.00
urilen 258132 46 13 21118 5611.00 5230.00 5761.00
byte_extract 43984 8 8 12476 5498.00 5498.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 1116702 196 196 34734 5697.00 5697.00 0.00
flowbits 39288 8 0 6090 4911.00 0.00 4911.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 787874 138 61 14894 5709.00 6348.00 5202.00
pcre 189524 10 2 78932 18952.00 43776.00 12746.00
byte_test 139924 20 8 26174 6996.00 8406.00 6056.00
isdataat 27248 2 0 22460 13624.00 0.00 13624.00
byte_extract 43984 8 8 12476 5498.00 5498.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 26754 1 1 26754 26754.00 26754.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 116718 20 4 7740 5835.00 5301.00 5969.00
pcre 273316 17 1 31236 16077.00 16264.00 16065.00
urilen 258132 46 13 21118 5611.00 5230.00 5761.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_client_body
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 5476 1 0 5476 5476.00 0.00 5476.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_response_line
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 5208 1 0 5208 5208.00 0.00 5208.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: file_data
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 10744 2 0 5554 5372.00 0.00 5372.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 1178058 157 93 35048 7503.00 7655.00 7282.00
pcre 253400 16 7 39026 15837.00 18536.00 13738.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header_names
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 11414 2 0 5968 5707.00 0.00 5707.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_content_type
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 32448 6 6 6048 5408.00 5408.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_method
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 22228 3 0 8914 7409.00 0.00 7409.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_user_agent
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 332370 56 36 8168 5935.00 6328.00 5227.00
pcre 81902 4 4 36908 20475.00 20475.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_stat_code
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 20538 4 2 6246 5134.00 4559.00 5710.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: tls_cert_issuer
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 49626 8 8 7174 6203.00 6203.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: tls_cert_subject
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 27959480 3296 0 10754928 8482.00 0.00 8482.00
|
1 2 3 4 5 6 7 8 | 2019-11-18 16:13:03,930 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-11-18 16:13:04,717 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-11-18 16:13:04,717 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-11-18 16:13:04,718 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-11-18 16:13:04,718 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-11-18 16:13:04,718 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e201c2541aa4da91667a3e2b2905090d56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11182019.1613-cee653fd6765d9a9be007ee9808ceb48eb74ac82c5a8d4701d6c432b2d2f360b_network.pcap -vvv -k none
2019-11-18 16:13:30,339 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-11-18 16:13:30,340 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 26.4186270237
|