Filename: network (1).pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 24.4533700943 seconds
Hash: e6a7cc43baf1f996b1c8c1a7c9ab0319
Uploaded: 1568627891

Logfiles


suricata-4.0.0-etpro-all-alert-2019-09-16-T-09-58-35-09162019.0958-network_1.pcap.txt - (423 bytes) - download
1
2
08/22/2019-15:38:43.605367  [**] [1:2022082:3] ET POLICY External IP Lookup ip-api.com [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.240.80:49289 -> 69.195.146.130:80
08/22/2019-15:38:43.605367  [**] [1:2823676:2] ETPRO TROJAN W32/Quasar 1.3 RAT Connectivity Check [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.80:49289 -> 69.195.146.130:80


unified2.alert.1568627914 - (588 bytes) - download
1
2
3
4
5
6
7
8
9
4]^·	<·ÚÂ!À¨ðPE҂À‰Pâ]^·]^·	<·ÆE¸1À¨ðPE҂À‰PPl;GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive

4]^·	<·+üÀ¨ðPE҂À‰Pâ]^·]^·	<·ÆE¸1À¨ðPE҂À‰PPl;GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive


suricata-report-2019-09-16-T-09-58-35-09162019.0958-network_1.pcap.txt - (17653 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e6a7cc43baf1f996b1c8c1a7c9ab031956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09162019.0958-network_1.pcap -vvv -k none
elapsedtime:23.471376
stderr:
stdout:
16/9/2019 -- 09:58:11 - <Info> - Configuration node 'rule-files' redefined.
16/9/2019 -- 09:58:11 - <Notice> - This is Suricata version 4.0.0 RELEASE
16/9/2019 -- 09:58:11 - <Info> - CPUs/cores online: 1
16/9/2019 -- 09:58:11 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31747 and 'request-body-inspect-window' set to 16954 after randomization.
16/9/2019 -- 09:58:11 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33880 and 'response-body-inspect-window' set to 16470 after randomization.
16/9/2019 -- 09:58:11 - <Config> - DNS request flood protection level: 500
16/9/2019 -- 09:58:11 - <Config> - DNS per flow memcap (state-memcap): 524288
16/9/2019 -- 09:58:11 - <Config> - DNS global memcap: 16777216
16/9/2019 -- 09:58:11 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
16/9/2019 -- 09:58:11 - <Config> - preallocated 1000 hosts of size 136
16/9/2019 -- 09:58:11 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
16/9/2019 -- 09:58:11 - <Config> - using magic-file /usr/share/file/magic
16/9/2019 -- 09:58:11 - <Config> - Core dump size is unlimited.
16/9/2019 -- 09:58:11 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
16/9/2019 -- 09:58:11 - <Config> - preallocated 1000 defrag trackers of size 168
16/9/2019 -- 09:58:11 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
16/9/2019 -- 09:58:11 - <Config> - stream "prealloc-sessions": 2048 (per thread)
16/9/2019 -- 09:58:11 - <Config> - stream "memcap": 33554432
16/9/2019 -- 09:58:11 - <Config> - stream "midstream" session pickups: disabled
16/9/2019 -- 09:58:11 - <Config> - stream "async-oneside": disabled
16/9/2019 -- 09:58:11 - <Config> - stream "checksum-validation": disabled
16/9/2019 -- 09:58:11 - <Config> - stream."inline": disabled
16/9/2019 -- 09:58:11 - <Config> - stream "bypass": disabled
16/9/2019 -- 09:58:11 - <Config> - stream "max-synack-queued": 5
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly "memcap": 134217728
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly "depth": 0
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly "toserver-chunk-size": 2556
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly "toclient-chunk-size": 2477
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly.raw: enabled
16/9/2019 -- 09:58:11 - <Config> - stream.reassembly "segment-prealloc": 2048
16/9/2019 -- 09:58:11 - <Config> - Delayed detect disabled
16/9/2019 -- 09:58:11 - <Config> - pattern matchers: MPM: ac, SPM: bm
16/9/2019 -- 09:58:11 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
16/9/2019 -- 09:58:11 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
16/9/2019 -- 09:58:11 - <Config> - prefilter engines: MPM
16/9/2019 -- 09:58:11 - <Config> - IP reputation disabled
16/9/2019 -- 09:58:11 - <Perf> - Registered 148 keyword profiling counters.
16/9/2019 -- 09:58:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
16/9/2019 -- 09:58:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
16/9/2019 -- 09:58:12 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
16/9/2019 -- 09:58:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
16/9/2019 -- 09:58:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
16/9/2019 -- 09:58:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
16/9/2019 -- 09:58:17 - <Config> - No rules loaded from ET-icmp.rules.
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
16/9/2019 -- 09:58:17 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
16/9/2019 -- 09:58:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
16/9/2019 -- 09:58:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
16/9/2019 -- 09:58:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
16/9/2019 -- 09:58:22 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
16/9/2019 -- 09:58:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
16/9/2019 -- 09:58:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
16/9/2019 -- 09:58:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
16/9/2019 -- 09:58:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
16/9/2019 -- 09:58:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
16/9/2019 -- 09:58:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
16/9/2019 -- 09:58:24 - <Config> - No rules loaded from local.rules.
16/9/2019 -- 09:58:24 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
16/9/2019 -- 09:58:24 - <Info> - Threshold config parsed: 0 rule(s) found
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tcp-packet
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tcp-stream
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for udp-packet
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for other-ip
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_uri
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_request_line
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_client_body
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_response_line
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_header
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_header
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_header_names
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_header_names
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_accept
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_accept_enc
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_accept_lang
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_referer
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_connection
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_content_len
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_content_len
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_content_type
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_content_type
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_protocol
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_protocol
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_start
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_start
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_raw_header
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_raw_header
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_method
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_cookie
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_cookie
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_raw_uri
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_user_agent
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_host
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_raw_host
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_stat_msg
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_stat_code
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for dns_query
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tls_sni
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tls_cert_issuer
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tls_cert_subject
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for tls_cert_serial
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for dce_stub_data
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for dce_stub_data
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for ssh_protocol
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for ssh_protocol
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for ssh_software
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for ssh_software
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for file_data
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for file_data
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_request_line
16/9/2019 -- 09:58:25 - <Perf> - using shared mpm ctx' for http_response_line
16/9/2019 -- 09:58:25 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
16/9/2019 -- 09:58:25 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
16/9/2019 -- 09:58:25 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
16/9/2019 -- 09:58:25 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
16/9/2019 -- 09:58:25 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
16/9/2019 -- 09:58:25 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
16/9/2019 -- 09:58:25 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
16/9/2019 -- 09:58:25 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
16/9/2019 -- 09:58:31 - <Perf> - Unique rule groups: 104
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toserver TCP packet": 35
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toclient TCP packet": 17
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toserver TCP stream": 33
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toclient TCP stream": 19
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toserver UDP packet": 27
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "toclient UDP packet": 17
16/9/2019 -- 09:58:31 - <Perf> - Builtin MPM "other IP packet": 3
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_uri": 14
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_request_line": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_client_body": 6
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_response_line": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_header": 10
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_header": 6
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_header_names": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_accept": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_referer": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_content_len": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_content_type": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_content_type": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_protocol": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_start": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_method": 5
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_cookie": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_cookie": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver http_host": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver dns_query": 4
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver tls_sni": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toserver file_data": 1
16/9/2019 -- 09:58:31 - <Perf> - AppLayer MPM "toclient file_data": 7
16/9/2019 -- 09:58:34 - <Perf> - Registered 39590 rule profiling counters.
16/9/2019 -- 09:58:34 - <Info> - fast output device (regular) initialized: alert
16/9/2019 -- 09:58:34 - <Info> - eve-log output device (regular) initialized: eve.json
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'alert'
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'http'
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'dns'
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'tls'
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'files'
16/9/2019 -- 09:58:34 - <Config> - enabling 'eve-log' module 'ssh'
16/9/2019 -- 09:58:34 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
16/9/2019 -- 09:58:34 - <Info> - stats output device (regular) initialized: stats.log
16/9/2019 -- 09:58:34 - <Config> - AutoFP mode using "Hash" flow load balancer
16/9/2019 -- 09:58:34 - <Info> - reading pcap file /var/pcap/09162019.0958-network_1.pcap
16/9/2019 -- 09:58:34 - <Config> - using 1 flow manager threads
16/9/2019 -- 09:58:34 - <Co

This file has been truncated. Go here to download in full.


packet_stats.log - (14570 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           209          8453022      104581440      79495907         16.6b   99.07
 IPv4      17             7          7166316       45207450      21242599        148.7m    0.89
 IPv6      17             1          8100868        8100868       8100868          8.1m    0.05
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           209           113956       19316796        393316         82.2m   81.38
TMM_FLOWWORKER              IPv4      17             7           277210        9820390       2299891         16.1m   15.94
TMM_RECEIVEPCAPFILE         IPv4       6           209             4442          13740          4614        964.4k    0.95
TMM_RECEIVEPCAPFILE         IPv4      17             7             4458          12718          5829         40.8k    0.04
TMM_DECODEPCAPFILE          IPv4       6           209             4596          45978          5141          1.1m    1.06
TMM_DECODEPCAPFILE          IPv4      17             7             4634          42736         10371         72.6k    0.07
TMM_FLOWWORKER              IPv6      17             1           537362         537362        537362        537.4k    0.53
TMM_RECEIVEPCAPFILE         IPv6      17             1             4896           4896          4896          4.9k    0.00
TMM_DECODEPCAPFILE          IPv6      17             1            20050          20050         20050         20.0k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           209             4892          35344          5982          1.3m  1.85  
flow                    IPv4      17             7             6286          59528         23326        163.3k  0.24  
stream                  IPv4       6           209             4530         538788         12268          2.6m  3.79  
app-layer               IPv4      17             7             4806          71794         33303        233.1k  0.34  
detect                  IPv4       6           209            76940        3995748        263965         55.2m  81.50 
detect                  IPv4      17             7           240378        2340270        906917          6.3m  9.38  
tcp-prune               IPv4       6           209             4434         419394          6911          1.4m  2.13  
flow                    IPv6      17             1            29300          29300         29300         29.3k  0.04  
app-layer               IPv6      17             1            15352          15352         15352         15.4k  0.02  
detect                  IPv6      17             1           474392         474392        474392        474.4k  0.70  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             1           141268         141268        141268        141.3k  70.35 
dns                     IPv4      17             4             9484          26440         14881         59.5k  29.65 
Proto detect            IPv4      17             5            17390          59824         28513        142.6k
Proto detect            IPv6      17             1             5886           5886          5886          5.9k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1         13797434       13797434      13797434         13.8m  56.61 
LOGGER_UNIFIED2             IPv4       6             1           971344         971344        971344        971.3k  3.99  
LOGGER_JSON_ALERT           IPv4       6             1           220698         220698        220698        220.7k  0.91  
LOGGER_JSON_DNS             IPv4      17             4            55714        8930060       2285471          9.1m  37.51 
LOGGER_JSON_HTTP            IPv4       6             1            99640          99640         99640         99.6k  0.41  
LOGGER_JSON_FILE            IPv4       6             1           143390         143390        143390        143.4k  0.59  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6             4             4792         114502         51653       206.6k  7.90  
payload                           IPv4      17             7             8700          91032         42504       297.5k  11.37 
stream                            IPv4       6             4             4572         618458        182379       729.5k  27.88 
http_uri                          IPv4       6             1            18644          18644         18644        18.6k  0.71  
http_request_line                 IPv4       6             1            14316          14316         14316        14.3k  0.55  
http_client_body                  IPv4       6             1             6002           6002          6002         6.0k  0.23  
http_header (request)             IPv4       6             1           101584         101584        101584       101.6k  3.88  
http_header (request trailer)     IPv4       6             1             4562           4562          4562         4.6k  0.17  
http_header_names (request)       IPv4       6             1            27312          27312         27312        27.3k  1.04  
http_accept (request)             IPv4       6             1             6404           6404          6404         6.4k  0.24  
http_referer (request)            IPv4       6             1             5368           5368          5368         5.4k  0.21  
http_content_len (request)        IPv4       6             1             5742           5742          5742         5.7k  0.22  
http_content_type (request)       IPv4       6             1             6008           6008          6008         6.0k  0.23  
http_protocol (request)           IPv4       6             1            10068          10068         10068        10.1k  0.38  
http_start (request)              IPv4       6             1            20472          20472         20472        20.5k  0.78  
http_raw_header (request)         IPv4       6             1            23568          23568         23568        23.6k  0.90  
http_method                       IPv4       6             1            12086          12086         12086        12.1k  0.46  
http_cookie (request)             IPv4       6             1             5970           5970          5970         6.0k  0.23  
http_raw_uri                      IPv4       6             1             8976           8976          8976         9.0k  0.34  
http_user_agent                   IPv4       6             1            52600          52600         52600        52.6k  2.01  
http_host                         IPv4       6             1            15206          15206         15206        15.2k  0.58  
dns_query                         IPv4      17             2            12886         859432        436159       872.3k  33.34 
http_response_line                IPv4       6             1            18826          18826         18826        18.8k  0.72  
http_header (response)            IPv4       6             1            56344          56344         56344        56.3k  2.15  
http_header (response trailer)    IPv4       6             1             4510           4510          4510         4.5k  0.17  
http_content_type (response)      IPv4       6             1            18540          18540         18540        18.5k  0.71  
http_raw_header (response)        IPv4       6             1            16662          16662         16662        16.7k  0.64  
http_cookie (response)            IPv4       6             1             5420           5420          5420         5.4k  0.21  
http_stat_code                    IPv4       6             1             7512           7512          7512         7.5k  0.29  
Total                             IPv4                    42                                         61397         2.6m
payload                           IPv6      17             1            37572          37572         37572        37.6k  1.44  
Total                             IPv6                     1                                         37572        37.6k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            72             5386         536296         49609          3.6m  6.49  
PROF_DETECT_IPONLY          IPv4      17             5            35336         414826        150820        754.1k  1.37  
PROF_DETECT_RULES           IPv4       6           209             4432        3311138        128094         26.8m  48.66 
PROF_DETECT_RULES           IPv4      17             7           132038         445094        244878          1.7m  3.12  
PROF_DETECT_STATEFUL_START    IPv4       6             4             9442        1814482        471096          1.9m  3.43  
PROF_DETECT_STATEFUL_CONT    IPv4       6           209             4410         420620          7362          1.5m  2.80  
PROF_DETECT_STATEFUL_CONT    IPv4      17             7             4462          64678         20823        145.8k  0.26  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6             7             4522           5730          5009         35.1k  0.06  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             5094         819434        208808        835.2k  1.52  
PROF_DETECT_PREFILTER       IPv4       6           209            13496         845642         27987          5.8m  10.63 
PROF_DETECT_PREFILTER       IPv4      17             7            47830         977930        214158          1.5m  2.72  
PROF_DETECT_PF_PAYLOAD      IPv4       6             4            99500         638780        247655        990.6k  1.80  
PROF_DETECT_PF_PAYLOAD      IPv4      17             7            17726         100040         51656        361.6k  0.66  
PROF_DETECT_PF_TX           IPv4       6             7             4734         438636         91348        639.4k  1.16  
PROF_DETECT_PF_TX           IPv4      17             2            23086         870312        446699        893.4k  1.62  
PROF_DETECT_PF_SORT1        IPv4       6             4             4864          10300          6379         25.5k  0.05  
PROF_DETECT_PF_SORT1        IPv4      17             7             4864           7104          5863         41.0k  0.07  
PROF_DETECT_PF_SORT2        IPv4       6           209             4426          27560          4993          1.0m  1.90  
PROF_DETECT_PF_SORT2        IPv4      17             7             4494           7596          6151         43.1k  0.08  
PROF_DETECT_NONMPMLIST      IPv4       6           209             4446          23820          5088          1.1m  1.93  
PROF_DETECT_NONMPMLIST      IPv4      17             7             4502           6684          5540         38.8k  0.07  
PROF_DETECT_ALERT           IPv4       6           209             4428         424014          8867          1.9m  3.37  
PROF_DETECT_ALERT           IPv4      17             7             4484          21886          7965         55.8k  0.10  
PROF_DETECT_CLEANUP         IPv4       6           209             4468          30662          5133          1.1m  1.95  
PROF_DETECT_CLEANUP         IPv4      17             7             4464           9630          6635         46.4k  0.08  
PROF_DETECT_GETSGH          IPv4       6           209             4454          83466          8078          1.7m  3.07  
PROF_DETECT_GETSGH          IPv4      17             7             4496          18852         10318         72.2k  0.13  
PROF_DETECT_IPONLY          IPv6      17             1            44884          44884         44884         44.9k  0.08  
PROF_DETECT_RULES           IPv6      17             1           237732         237732        237732        237.7k  0.43  
PROF_DETECT_STATEFUL_CONT    IPv6      17             1             4674           4674          4674          4.7k  0.01  
PROF_DETECT_PREFILTER       IPv6      17             1            77984          77984         77984         78.0k  0.14  
PROF_DETECT_PF_PAYLOAD      IPv6      17             1            46782          46782         46782         46.8k  0.09  
PROF_DETECT_PF_SORT1        IPv6      17             1             6174           6174          6174          6.2k  0.01  
PROF_DETECT_PF_SORT2        IPv6      17             1             6842           6842          6842          6.8k  0.01  
PROF_DETECT_NONMPMLIST      IPv6      17             1             5408           5408          5408          5.4k  0.01  
PROF_DETECT_ALERT           IPv6      17             1             4492           4492          4492          4.5k  0.01  
PROF_DETECT_CLEANUP         IPv6      17             1             5452           5452          5452          5.5k  0.01  
PROF_DETECT_GETSGH          IPv6      17             1            48370          48370         48370         48.4k  0.09  


suricata-4.0.0-etpro-all-perf.txt-2019-09-16-T-09-58-35-09162019.0958-network_1.pcap.txt - (16726 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 9/16/2019 -- 09:58:35. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2013506      1        1        1968924      13.01  96       0        1100898     20509.62    0.00        20509.62   
  2        2001219      1        20       1478270      9.77   96       0        622504      15398.65    0.00        15398.65   
  3        2102523      1        8        888310       5.87   97       0        428576      9157.84     0.00        9157.84    
  4        2002994      1        7        860026       5.68   96       0        427152      8958.60     0.00        8958.60    
  5        2025064      1        5        200352       1.32   1        0        200352      200352.00   0.00        200352.00  
  6        2823676      1        2        135294       0.89   1        1        135294      135294.00   135294.00   0.00       
  7        2816909      1        2        121318       0.80   1        0        121318      121318.00   0.00        121318.00  
  8        2827279      1        5        109926       0.73   1        0        109926      109926.00   0.00        109926.00  
  9        2014701      1        12       163670       1.08   4        0        108970      40917.50    0.00        40917.50   
  10       2816910      1        2        101362       0.67   1        0        101362      101362.00   0.00        101362.00  
  11       2816940      1        2        100060       0.66   1        0        100060      100060.00   0.00        100060.00  
  12       2828008      1        2        100056       0.66   1        0        100056      100056.00   0.00        100056.00  
  13       2820851      1        5        99756        0.66   1        0        99756       99756.00    0.00        99756.00   
  14       2023583      1        4        83468        0.55   1        0        83468       83468.00    0.00        83468.00   
  15       2827505      1        2        78508        0.52   1        0        78508       78508.00    0.00        78508.00   
  16       2815817      1        5        65460        0.43   1        0        65460       65460.00    0.00        65460.00   
  17       2816327      1        4        62198        0.41   1        0        62198       62198.00    0.00        62198.00   
  18       2830124      1        1        59098        0.39   1        0        59098       59098.00    0.00        59098.00   
  19       2816525      1        10       58986        0.39   1        0        58986       58986.00    0.00        58986.00   
  20       2823166      1        3        58814        0.39   1        0        58814       58814.00    0.00        58814.00   
  21       2816165      1        5        58454        0.39   1        0        58454       58454.00    0.00        58454.00   
  22       2816924      1        4        57832        0.38   1        0        57832       57832.00    0.00        57832.00   
  23       2024771      1        1        52404        0.35   1        0        52404       52404.00    0.00        52404.00   
  24       2002993      1        7        483442       3.20   96       0        52194       5035.85     0.00        5035.85    
  25       2023916      1        2        52122        0.34   1        0        52122       52122.00    0.00        52122.00   
  26       2816328      1        5        50692        0.34   1        0        50692       50692.00    0.00        50692.00   
  27       2821615      1        2        50184        0.33   1        0        50184       50184.00    0.00        50184.00   
  28       2828123      1        2        50174        0.33   1        0        50174       50174.00    0.00        50174.00   
  29       2012612      1        16       50100        0.33   1        0        50100       50100.00    0.00        50100.00   
  30       2025162      1        2        50018        0.33   1        0        50018       50018.00    0.00        50018.00   
  31       2819673      1        4        49376        0.33   1        0        49376       49376.00    0.00        49376.00   
  32       2018359      1        3        48462        0.32   1        0        48462       48462.00    0.00        48462.00   
  33       2816526      1        13       48292        0.32   1        0        48292       48292.00    0.00        48292.00   
  34       2829644      1        1        47970        0.32   1        0        47970       47970.00    0.00        47970.00   
  35       2816922      1        5        47676        0.32   1        0        47676       47676.00    0.00        47676.00   
  36       2816929      1        4        47652        0.31   1        0        47652       47652.00    0.00        47652.00   
  37       2816931      1        3        46268        0.31   1        0        46268       46268.00    0.00        46268.00   
  38       2816928      1        3        45794        0.30   1        0        45794       45794.00    0.00        45794.00   
  39       2816930      1        4        45654        0.30   1        0        45654       45654.00    0.00        45654.00   
  40       2816927      1        3        45628        0.30   1        0        45628       45628.00    0.00        45628.00   
  41       2816925      1        3        45336        0.30   1        0        45336       45336.00    0.00        45336.00   
  42       2012707      1        5        44568        0.29   1        0        44568       44568.00    0.00        44568.00   
  43       2828190      1        2        39930        0.26   1        0        39930       39930.00    0.00        39930.00   
  44       2022082      1        3        39102        0.26   1        1        39102       39102.00    39102.00    0.00       
  45       2826256      1        2        39062        0.26   1        0        39062       39062.00    0.00        39062.00   
  46       2830035      1        2        39060        0.26   1        0        39060       39060.00    0.00        39060.00   
  47       2809267      1        8        38370        0.25   1        0        38370       38370.00    0.00        38370.00   
  48       2816857      1        2        37590        0.25   1        0        37590       37590.00    0.00        37590.00   
  49       2829607      1        1        37478        0.25   1        0        37478       37478.00    0.00        37478.00   
  50       2814229      1        2        37358        0.25   1        0        37358       37358.00    0.00        37358.00   
  51       2808852      1        4        36990        0.24   1        0        36990       36990.00    0.00        36990.00   
  52       2804626      1        9        36518        0.24   1        0        36518       36518.00    0.00        36518.00   
  53       2017552      1        6        87698        0.58   3        0        36296       29232.67    0.00        29232.67   
  54       2808851      1        4        35370        0.23   1        0        35370       35370.00    0.00        35370.00   
  55       2016537      1        2        59494        0.39   2        0        32548       29747.00    0.00        29747.00   
  56       2019230      1        2        36538        0.24   2        0        31230       18269.00    0.00        18269.00   
  57       2010939      1        3        529652       3.50   96       0        31210       5517.21     0.00        5517.21    
  58       2826281      1        2        58886        0.39   2        0        29648       29443.00    0.00        29443.00   
  59       2022543      1        1        57530        0.38   2        0        29520       28765.00    0.00        28765.00   
  60       2803760      1        3        57428        0.38   2        0        29138       28714.00    0.00        28714.00   
  61       2016323      1        1        38478        0.25   3        0        28718       12826.00    0.00        12826.00   
  62       2013382      1        3        28314        0.19   1        0        28314       28314.00    0.00        28314.00   
  63       2811544      1        1        33520        0.22   2        0        27304       16760.00    0.00        16760.00   
  64       2003068      1        7        488864       3.23   96       0        27038       5092.33     0.00        5092.33    
  65       2014703      1        9        62956        0.42   4        0        26156       15739.00    0.00        15739.00   
  66       2014702      1        9        60868        0.40   4        0        25916       15217.00    0.00        15217.00   
  67       2811577      1        2        31874        0.21   2        0        25710       15937.00    0.00        15937.00   
  68       2002995      1        10       474554       3.14   96       0        21494       4943.27     0.00        4943.27    
  69       2002911      1        6        455390       3.01   96       0        20642       4743.65     0.00        4743.65    
  70       2001582      1        15       469780       3.10   96       0        20512       4893.54     0.00        4893.54    
  71       2806561      1        5        481166       3.18   96       0        20418       5012.15     0.00        5012.15    
  72       2102523      1        8        473398       3.13   97       0        19510       4880.39     0.00        4880.39    
  73       2010938      1        3        452328       2.99   96       0        18426       4711.75     0.00        4711.75    
  74       2020388      1        8        8592         0.06   1        0        8592        8592.00     0.00        8592.00    
  75       2810792      1        5        7750         0.05   1        0        7750        7750.00     0.00        7750.00    
  76       2001580      1        15       439678       2.91   96       0        6968        4579.98     0.00        4579.98    
  77       2823788      1        4        13586        0.09   2        0        6956        6793.00     0.00        6793.00    
  78       2810793      1        5        6836         0.05   1        0        6836        6836.00     0.00        6836.00    
  79       2002910      1        6        440056       2.91   96       0        6598        4583.92     0.00        4583.92    
  80       2009702      1        5        22720        0.15   4        0        6576        5680.00     0.00        5680.00    
  81       2801347      1        5        20040        0.13   4        0        6574        5010.00     0.00        5010.00    
  82       2020369      1        3        6528         0.04   1        0        6528        6528.00     0.00        6528.00    
  83       2002992      1        7        434750       2.87   96       0        6514        4528.65     0.00        4528.65    
  84       2804586      1        2        6506         0.04   1        0        6506        6506.00     0.00        6506.00    
  85       2009243      1        2        12064        0.08   2        0        6332        6032.00     0.00        6032.00    
  86       2816382      1        1        6296         0.04   1        0        6296        6296.00     0.00        6296.00    
  87       2021702      1        1        11984        0.08   2        0        6280        5992.00     0.00        5992.00    
  88       2025200      1        1        22864        0.15   4        0        6264        5716.00     0.00        5716.00    
  89       2019011      1        3        6252         0.04   1        0        6252        6252.00     0.00        6252.00    
  90       2008117      1        3        6214         0.04   1        0        6214        6214.00     0.00        6214.00    
  91       2008116      1        4        6102         0.04   1        0        6102        6102.00     0.00        6102.00    
  92       2008120      1        4        26134        0.17   5        0        6022        5226.80     0.00        5226.80    
  93       2828877      1        1        5978         0.04   1        0        5978        5978.00     0.00        5978.00    
  94       2008420      1        4        11696        0.08   2        0        5976        5848.00     0.00        5848.00    
  95       2023626      1        3        26134        0.17   5        0        5974        5226.80     0.00        5226.80    
  96       2100518      1        8        5824         0.04   1        0        5824        5824.00     0.00        5824.00    
  97       2010143      1        3        16770        0.11   3        0        5816        5590.00     0.00        5590.00    
  98       2016363      1        2        14782        0.10   3        0        5774        4927.33     0.00        4927.33    
  99       2828876      1        1        10712        0.07   2        0        5768        5356.00     0.00        5356.00    
  100      2023622      1        3        39804        0.26   8        0        5762        4975.50     0.00        4975.50    
  101      2021701      1        1        11066        0.07   2        0        5740        5533.00     0.00        5533.00    
  102      2023627      1        3        5726         0.04   1        0        5726        5726.00     0.00        5726.00    
  103      2010140      1        7        16032        0.11   3        0        5708        5344.00     0.00        5344.00    
  104      2023624      1        3        35252        0.23   7        0        5696        5036.00     0.00        5036.00    
  105      2100540      1        12       10964        0.07   2        0        5664        5482.00     0.00        5482.00    
  106      2023625      1        3        14546        0.10   3        0        5660        4848.67     0.00        4848.67    
  107      2023617      1        3        19502        0.13   4        0        5634        4875.50     0.00        4875.50    
  108      2008118      1        3        10844        0.07   2        0        5616        5422.00     0.00        5422.00    
  109      2802822      1        1        5512         0.04   1        0        5512        5512.00     0.00        5512.00    
  110      2100566      1        5        14376        0.10   3        0        5416        4792.00     0.00        4792.00    
  111      2023621      1        4        14280        0.09   3        0        5378        4760.00     0.00        4760.00    
  112      2023620      1        3        9968         0.07   2        0        5366        4984.00     0.00        4984.00    
  113      2023618      1        3        10328        0.07   2        0        5326        5164.00     0.00        5164.00    
  114      2802205      1        3        5314         0.04   1        0        5314        5314.00     0.00        5314.00    
  115      2019016      1        3        5314         0.04   1        0        5314        5314.00     0.00        5314.00    
  116      2023615      1        3        24216        0.16   5        0        5310        4843.20     0.00        4843.20    
  117      2100540      1        12       10604        0.07   2        0        5304        5302.00     0.00        5302.00    
  118      2023613      1        3        23606        0.16   5        0        5144        4721.20     0.00        4721.20    
  119      2023614      1        3        14020        0.09   3        0        5126        4673.33     0.00        4673.33    
  120      2828748      1        2        4982         0.03   1        0        4982        4982.00     0.00        4982.00    
  121      2816920      1        1        4954         0.03   1        0        4954        4954.00     0.00        4954.00    
  122      2013075      1        8        9856         0.07   2        0        4954        4928.00     0.00        4928.00    
  123      2010142      1        4        14152        0.09   3        0        4892        4717.33     0.00        4717.33    
  124      2023612      1        4        17838        0.12   4        0        4496        4459.50     0.00        4459.50    
  125      2013739      1        15       4

This file has been truncated. Go here to download in full.


stats.log - (2909 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
------------------------------------------------------------------------------------
Date: 9/16/2019 -- 09:58:35 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 225
decoder.bytes                              | Total                     | 14960
decoder.ipv4                               | Total                     | 216
decoder.ipv6                               | Total                     | 1
decoder.ethernet                           | Total                     | 225
decoder.tcp                                | Total                     | 209
decoder.udp                                | Total                     | 8
decoder.avg_pkt_size                       | Total                     | 66
decoder.max_pkt_size                       | Total                     | 517
flow.tcp                                   | Total                     | 39
flow.udp                                   | Total                     | 4
tcp.sessions                               | Total                     | 33
tcp.syn                                    | Total                     | 97
tcp.synack                                 | Total                     | 1
tcp.rst                                    | Total                     | 103
detect.alert                               | Total                     | 2
detect.nonmpm_list                         | Total                     | 9
detect.fnonmpm_list                        | Total                     | 7
detect.match_list                          | Total                     | 8
app_layer.flow.http                        | Total                     | 1
app_layer.tx.http                          | Total                     | 1
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 2
flow.spare                                 | Total                     | 9984
flow_mgr.flows_checked                     | Total                     | 6
flow_mgr.flows_notimeout                   | Total                     | 6
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65530
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7075456


eve.json - (3058 bytes) - download
1
2
3
4
5
6
7
8
{"timestamp":"2019-08-22T15:38:43.117431+0000","flow_id":2010369887554231,"pcap_cnt":6,"event_type":"dns","src_ip":"192.168.240.80","src_port":57881,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28741,"rrname":"ip-api.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-08-22T15:38:43.182502+0000","flow_id":2010369887554231,"pcap_cnt":7,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.80","dest_port":57881,"proto":"UDP","dns":{"type":"answer","id":28741,"rcode":"NOERROR","rrname":"ip-api.com","rrtype":"A","ttl":99,"rdata":"69.195.146.130"}}
{"timestamp":"2019-08-22T15:38:43.605367+0000","flow_id":636066252178101,"pcap_cnt":14,"event_type":"alert","src_ip":"192.168.240.80","src_port":49289,"dest_ip":"69.195.146.130","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2022082,"rev":3,"signature":"ET POLICY External IP Lookup ip-api.com","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-08-22T15:38:43.605367+0000","flow_id":636066252178101,"pcap_cnt":14,"event_type":"alert","src_ip":"192.168.240.80","src_port":49289,"dest_ip":"69.195.146.130","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2823676,"rev":2,"signature":"ETPRO TROJAN W32\/Quasar 1.3 RAT Connectivity Check","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-22T15:38:43.605367+0000","flow_id":636066252178101,"pcap_cnt":14,"event_type":"http","src_ip":"192.168.240.80","src_port":49289,"dest_ip":"69.195.146.130","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ip-api.com","url":"\/json\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; rv:48.0) Gecko\/20100101 Firefox\/48.0","http_content_type":"application\/json"}}
{"timestamp":"2019-08-22T15:38:44.414443+0000","flow_id":130359622914795,"pcap_cnt":15,"event_type":"dns","src_ip":"192.168.240.80","src_port":59263,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23459,"rrname":"hussaryn-36811.portmap.host","rrtype":"A","tx_id":0}}
{"timestamp":"2019-08-22T15:38:44.536629+0000","flow_id":130359622914795,"pcap_cnt":16,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.80","dest_port":59263,"proto":"UDP","dns":{"type":"answer","id":23459,"rcode":"NOERROR","rrname":"hussaryn-36811.portmap.host","rrtype":"A","ttl":299,"rdata":"193.161.193.99"}}
{"timestamp":"2019-08-22T15:38:51.395462+0000","flow_id":636066252178101,"pcap_cnt":28,"event_type":"fileinfo","src_ip":"69.195.146.130","src_port":80,"dest_ip":"192.168.240.80","dest_port":49289,"proto":"TCP","http":{"hostname":"ip-api.com","url":"\/json\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; rv:48.0) Gecko\/20100101 Firefox\/48.0","http_content_type":"application\/json","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":307},"app_proto":"http","fileinfo":{"filename":"\/json\/","gaps":false,"state":"CLOSED","stored":false,"size":307,"tx_id":0}}


keyword_perf.log - (8424 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 9/16/2019 -- 09:58:35
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             359206          52              52              53780           6907.00         6907.00         0.00           
  content          713690          104             75              30748           6862.00         7097.00         6253.00        
  pcre             409562          13              2               104524          31504.00        31771.00        31456.00       
  byte_test        109190          14              5               36422           7799.00         12504.00        5185.00        
  isdataat         9522            2               0               4966            4761.00         0.00            4761.00        
  urilen           76510           14              2               6516            5465.00         5534.00         5453.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             359206          52              52              53780           6907.00         6907.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          156000          20              14              30748           7800.00         8524.00         6110.00        
  byte_test        109190          14              5               36422           7799.00         12504.00        5185.00        
  isdataat         9522            2               0               4966            4761.00         0.00            4761.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          45330           7               2               7648            6475.00         5991.00         6669.00        
  pcre             44626           2               0               29880           22313.00        0.00            22313.00       
  urilen           76510           14              2               6516            5465.00         5534.00         5453.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5850            1               0               5850            5850.00         0.00            5850.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          338656          50              43              9246            6773.00         6839.00         6365.00        
  pcre             331446          9               2               104524          36827.00        31771.00        38272.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          58562           9               5               7480            6506.00         6784.00         6159.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          16664           3               1               7042            5554.00         7042.00         4811.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          87228           13              9               7936            6709.00         6729.00         6666.00        
  pcre             33490           2               0               16974           16745.00        0.00            16745.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5400            1               1               5400            5400.00         5400.00         0.00           


IDSDeathBlossom.py.log - (1149 bytes) - download
1
2
3
4
5
6
7
8
2019-09-16 09:58:11,208 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-09-16 09:58:11,957 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-09-16 09:58:11,957 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-09-16 09:58:11,957 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-09-16 09:58:11,958 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-09-16 09:58:11,958 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e6a7cc43baf1f996b1c8c1a7c9ab031956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09162019.0958-network_1.pcap -vvv -k none
2019-09-16 09:58:35,432 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-09-16 09:58:35,433 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 24.2333939075