Filename: 2019-01-30-Emotet-infection-with-IcedID.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 21.8181130886 seconds
Hash: e77c792636255f8285d7139a5b419531
Uploaded: 1548924640

Logfiles


suricata-report-2019-01-31-T-08-51-02-01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap.txt - (17824 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e77c792636255f8285d7139a5b41953156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap -vvv -k none
elapsedtime:20.923019
stderr:
stdout:
31/1/2019 -- 08:50:41 - <Info> - Configuration node 'rule-files' redefined.
31/1/2019 -- 08:50:41 - <Notice> - This is Suricata version 4.0.0 RELEASE
31/1/2019 -- 08:50:41 - <Info> - CPUs/cores online: 1
31/1/2019 -- 08:50:41 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 31354 and 'request-body-inspect-window' set to 17170 after randomization.
31/1/2019 -- 08:50:41 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33444 and 'response-body-inspect-window' set to 16633 after randomization.
31/1/2019 -- 08:50:41 - <Config> - DNS request flood protection level: 500
31/1/2019 -- 08:50:41 - <Config> - DNS per flow memcap (state-memcap): 524288
31/1/2019 -- 08:50:41 - <Config> - DNS global memcap: 16777216
31/1/2019 -- 08:50:41 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
31/1/2019 -- 08:50:41 - <Config> - preallocated 1000 hosts of size 136
31/1/2019 -- 08:50:41 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
31/1/2019 -- 08:50:41 - <Config> - using magic-file /usr/share/file/magic
31/1/2019 -- 08:50:41 - <Config> - Core dump size is unlimited.
31/1/2019 -- 08:50:41 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
31/1/2019 -- 08:50:41 - <Config> - preallocated 1000 defrag trackers of size 168
31/1/2019 -- 08:50:41 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
31/1/2019 -- 08:50:41 - <Config> - stream "prealloc-sessions": 2048 (per thread)
31/1/2019 -- 08:50:41 - <Config> - stream "memcap": 33554432
31/1/2019 -- 08:50:41 - <Config> - stream "midstream" session pickups: disabled
31/1/2019 -- 08:50:41 - <Config> - stream "async-oneside": disabled
31/1/2019 -- 08:50:41 - <Config> - stream "checksum-validation": disabled
31/1/2019 -- 08:50:41 - <Config> - stream."inline": disabled
31/1/2019 -- 08:50:41 - <Config> - stream "bypass": disabled
31/1/2019 -- 08:50:41 - <Config> - stream "max-synack-queued": 5
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly "memcap": 134217728
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly "depth": 0
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly "toserver-chunk-size": 2435
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly "toclient-chunk-size": 2537
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly.raw: enabled
31/1/2019 -- 08:50:41 - <Config> - stream.reassembly "segment-prealloc": 2048
31/1/2019 -- 08:50:41 - <Config> - Delayed detect disabled
31/1/2019 -- 08:50:41 - <Config> - pattern matchers: MPM: ac, SPM: bm
31/1/2019 -- 08:50:41 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
31/1/2019 -- 08:50:41 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
31/1/2019 -- 08:50:41 - <Config> - prefilter engines: MPM
31/1/2019 -- 08:50:41 - <Config> - IP reputation disabled
31/1/2019 -- 08:50:41 - <Perf> - Registered 148 keyword profiling counters.
31/1/2019 -- 08:50:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
31/1/2019 -- 08:50:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
31/1/2019 -- 08:50:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
31/1/2019 -- 08:50:46 - <Config> - No rules loaded from ET-icmp.rules.
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
31/1/2019 -- 08:50:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
31/1/2019 -- 08:50:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
31/1/2019 -- 08:50:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
31/1/2019 -- 08:50:47 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
31/1/2019 -- 08:50:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
31/1/2019 -- 08:50:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
31/1/2019 -- 08:50:49 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
31/1/2019 -- 08:50:51 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
31/1/2019 -- 08:50:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
31/1/2019 -- 08:50:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
31/1/2019 -- 08:50:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
31/1/2019 -- 08:50:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
31/1/2019 -- 08:50:52 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
31/1/2019 -- 08:50:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
31/1/2019 -- 08:50:53 - <Config> - No rules loaded from local.rules.
31/1/2019 -- 08:50:53 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
31/1/2019 -- 08:50:53 - <Info> - Threshold config parsed: 0 rule(s) found
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tcp-packet
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tcp-stream
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for udp-packet
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for other-ip
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_uri
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_client_body
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_header
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_header_names
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_accept
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_accept_enc
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_accept_lang
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_referer
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_connection
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_content_len
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_content_type
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_protocol
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_start
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_raw_header
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_method
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_cookie
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_raw_uri
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_user_agent
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_host
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_raw_host
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_stat_msg
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_stat_code
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for dns_query
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tls_sni
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tls_cert_issuer
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tls_cert_subject
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for tls_cert_serial
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for dce_stub_data
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for ssh_protocol
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for ssh_software
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for file_data
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_request_line
31/1/2019 -- 08:50:54 - <Perf> - using shared mpm ctx' for http_response_line
31/1/2019 -- 08:50:54 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
31/1/2019 -- 08:50:54 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
31/1/2019 -- 08:50:54 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
31/1/2019 -- 08:50:54 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
31/1/2019 -- 08:50:54 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
31/1/2019 -- 08:50:54 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
31/1/2019 -- 08:50:54 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
31/1/2019 -- 08:50:54 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
31/1/2019 -- 08:50:58 - <Perf> - Unique rule groups: 104
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toserver TCP packet": 35
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toclient TCP packet": 17
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toserver TCP stream": 33
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toclient TCP stream": 19
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toserver UDP packet": 27
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "toclient UDP packet": 17
31/1/2019 -- 08:50:58 - <Perf> - Builtin MPM "other IP packet": 3
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_uri": 14
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_request_line": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_client_body": 6
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_response_line": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_header": 10
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_header": 6
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_header_names": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_accept": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_referer": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_content_len": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_content_type": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_content_type": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_protocol": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_start": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_method": 5
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_cookie": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_cookie": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver http_host": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver dns_query": 4
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver tls_sni": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toserver file_data": 1
31/1/2019 -- 08:50:58 - <Perf> - AppLayer MPM "toclient file_data": 7
31/1/2019 -- 08:51:00 - <Perf> - Registered 39590 rule profiling counters.
31/1/2019 -- 08:51:00 - <Info> - fast output device (regular) initialized: alert
31/1/2019 -- 08:51:00 - <Info> - eve-log output device (regular) initialized: eve.json
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'alert'
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'http'
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'dns'
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'tls'
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'files'
31/1/2019 -- 08:51:00 - <Config> - enabling 'eve-log' module 'ssh'
31/1/2019 -- 08:51:00 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
31/1/2019 -- 08:51:00 - <Info> - stats output device (regular) initialized: stats.log
31/1/2019 -- 08:51:00 - <Config> - AutoFP mode using "Hash" flow load balancer
31/1/2019 -- 08:51:00 - <Info> - reading pcap file /var/pcap/01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap
31/1/2019 -- 08:51:00 - <Config

This file has been truncated. Go here to download in full.


packet_stats.log - (12917 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          3172          2249876      767817529     520493928       1651.0b   99.67
 IPv4      17            12         13261487      765393359     461019328          5.5b    0.33
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          3172            66442       19297131        282798        897.0m   95.33
TMM_FLOWWORKER              IPv4      17            12           305241       11160903       1356259         16.3m    1.73
TMM_RECEIVEPCAPFILE         IPv4       6          3158             2540        4571705          4375         13.8m    1.47
TMM_RECEIVEPCAPFILE         IPv4      17            12             2597          10360          3324         39.9k    0.00
TMM_DECODEPCAPFILE          IPv4       6          3158             2647        4553256          4365         13.8m    1.47
TMM_DECODEPCAPFILE          IPv4      17            12             2816          18375          5187         62.2k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          3158             2811         384579          3429         10.8m  1.27  
flow                    IPv4      17            12             3191          13913          5531         66.4k  0.01  
stream                  IPv4       6          3172             2578         413998          8631         27.4m  3.22  
app-layer               IPv4      17            12            11319          34876         19968        239.6k  0.03  
detect                  IPv4       6          3172            44708       18897136        251585        798.0m  93.80 
detect                  IPv4      17            12           235424         611520        377234          4.5m  0.53  
tcp-prune               IPv4       6          3172             2543          40010          3057          9.7m  1.14  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            13             3294          37556         11705        152.2k  50.17 
tls                     IPv4       6            18             2634           7248          3377         60.8k  20.04 
dns                     IPv4      17            12             5356          11998          7527         90.3k  29.78 
Proto detect            IPv4      17            11             6314          13375          9123        100.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             2            51713          90804         71258        142.5k  0.94  
LOGGER_UNIFIED2             IPv4       6             2           139493         186204        162848        325.7k  2.14  
LOGGER_JSON_ALERT           IPv4       6             2            76630         105448         91039        182.1k  1.19  
LOGGER_JSON_DNS             IPv4      17            12            37708       10465398        935768         11.2m  73.68 
LOGGER_JSON_HTTP            IPv4       6            15            62615         233988        116169          1.7m  11.43 
LOGGER_JSON_TLS             IPv4       6             9            38078          82703         54994        495.0k  3.25  
LOGGER_JSON_FILE            IPv4       6            14            54868         157639         80183          1.1m  7.37  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1470             2582         126157         20234        29.7m  12.24 
payload                           IPv4      17            12            21160          32872         27576       330.9k  0.14  
stream                            IPv4       6          1470             2534        1193863         33701        49.5m  20.39 
http_uri                          IPv4       6            15             3244          21265          7298       109.5k  0.05  
http_request_line                 IPv4       6            15             4102           8728          5904        88.6k  0.04  
http_client_body                  IPv4       6            15             2984           4799          3638        54.6k  0.02  
http_header (request)             IPv4       6            15             9662          91667         52808       792.1k  0.33  
http_header (request trailer)     IPv4       6            15             2569           3074          2670        40.1k  0.02  
http_header_names (request)       IPv4       6            15             7168          25859         14910       223.7k  0.09  
http_accept (request)             IPv4       6            15             3173           7664          3975        59.6k  0.02  
http_referer (request)            IPv4       6            15             2840          34121          5313        79.7k  0.03  
http_content_len (request)        IPv4       6            15             2990           4264          3453        51.8k  0.02  
http_content_type (request)       IPv4       6            15             2866           4083          3367        50.5k  0.02  
http_protocol (request)           IPv4       6            15             3278          18657          5526        82.9k  0.03  
http_start (request)              IPv4       6            15             8568          27735         16015       240.2k  0.10  
http_raw_header (request)         IPv4       6            15             8518          22610         16779       251.7k  0.10  
http_method                       IPv4       6            15             3669           6822          5336        80.0k  0.03  
http_cookie (request)             IPv4       6            15             3052          17376          9836       147.5k  0.06  
http_raw_uri                      IPv4       6            15             2689          15958          4735        71.0k  0.03  
http_user_agent                   IPv4       6            15             3078          64824         28442       426.6k  0.18  
http_host                         IPv4       6            15             3416           9173          5527        82.9k  0.03  
dns_query                         IPv4      17             6             6668           8657          7359        44.2k  0.02  
tls_sni                           IPv4       6             9             3263           8504          5764        51.9k  0.02  
http_response_line                IPv4       6            15             3137          64571         10859       162.9k  0.07  
http_header (response)            IPv4       6            54             2676          92296         12034       649.8k  0.27  
http_header (response trailer)    IPv4       6            14             2651          92397         15126       211.8k  0.09  
http_content_type (response)      IPv4       6            54             2769          10464          4198       226.7k  0.09  
http_raw_header (response)        IPv4       6          1320             3457          61523          4945         6.5m  2.69  
http_cookie (response)            IPv4       6            54             2720           3885          2923       157.9k  0.06  
http_stat_code                    IPv4       6            54             2632           4846          3078       166.2k  0.07  
tls_cert_issuer                   IPv4       6             9             3647           7552          5309        47.8k  0.02  
tls_cert_subject                  IPv4       6             9             3518          11735          6329        57.0k  0.02  
tls_cert_serial                   IPv4       6             9             3062          37794          7834        70.5k  0.03  
file_data (http response)         IPv4       6          1306             2573        6804015        116435       152.1m  62.58 
Total                             IPv4                  6135                                         39607       243.0m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            68             3223         114856         28865          2.0m  0.17  
PROF_DETECT_IPONLY          IPv4      17            12            37160          89332         56112        673.3k  0.06  
PROF_DETECT_RULES           IPv4       6          3172             2527       17524023         95159        301.8m  25.79 
PROF_DETECT_RULES           IPv4      17            12            80499         313988        190775          2.3m  0.20  
PROF_DETECT_STATEFUL_START    IPv4       6          1198             5100       17177595        140150        167.9m  14.34 
PROF_DETECT_STATEFUL_CONT    IPv4       6          3172             2510          88466          8178         25.9m  2.22  
PROF_DETECT_STATEFUL_CONT    IPv4      17            12             5583          78315         12391        148.7k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          3028             2550          67135          2827          8.6m  0.73  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            12             2711           3280          2968         35.6k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          3172             7754        6969593        103582        328.6m  28.07 
PROF_DETECT_PREFILTER       IPv4      17            12            48279          91238         62855        754.3k  0.06  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1470            13011        1205606         62414         91.8m  7.84  
PROF_DETECT_PF_PAYLOAD      IPv4      17            12            26494          38234         32868        394.4k  0.03  
PROF_DETECT_PF_TX           IPv4       6          3028             2549        6819489         60234        182.4m  15.58 
PROF_DETECT_PF_TX           IPv4      17             6            12353          35086         17033        102.2k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6           948             2523          42871          3524          3.3m  0.29  
PROF_DETECT_PF_SORT1        IPv4      17            12             3082           5555          3915         47.0k  0.00  
PROF_DETECT_PF_SORT2        IPv4       6          3172             2516        6398161          4995         15.8m  1.35  
PROF_DETECT_PF_SORT2        IPv4      17            12             2993          18658          5077         60.9k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          3172             2529          55242          3017          9.6m  0.82  
PROF_DETECT_NONMPMLIST      IPv4      17            12             2923           4270          3415         41.0k  0.00  
PROF_DETECT_ALERT           IPv4       6          3172             2518          53640          2827          9.0m  0.77  
PROF_DETECT_ALERT           IPv4      17            12             2537           5210          2972         35.7k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          3172             2551          48523          2948          9.4m  0.80  
PROF_DETECT_CLEANUP         IPv4      17            12             3085          21701          5481         65.8k  0.01  
PROF_DETECT_GETSGH          IPv4       6          3172             2512          41491          3117          9.9m  0.84  
PROF_DETECT_GETSGH          IPv4      17            12             5881           7442          6351         76.2k  0.01  


unified2.alert.1548924660 - (16632 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
4\R#¢Õ1E &

fPÀ,\R#¢\R#¢êEÜ!E &

fPÀ,PލyRMefS8vlXeUy9nfobugVifeXpp6P
oL0X+gD0+Z/dxZ9jNpXLx6vBD0Mfgr41eV9m6vkI+HHoPu6P/WsG7Dju9Y/wua/YXNlgU69V6irl
rbK6lgaHlPXH6psrjwz1q6vy6OHKrQp9xN/Xp90XVGxeX+ngK8ifIZcjH5jLaFoORiwb2G8v//0E
//0h/92czn4H+e+L/HduBvvtz2BR5vXlcrPMnmfGM9nzzBjPP3ueOcvv1wNqfhcte4rPT529ubGh
WZaOYZxHMd4gz++JjGa5vN4KP6egn0ReMutajfz539iA37JXlkLQ74J+8fSPMrT83o3290A/DX30
X3V8H+joGZ7wtOM8An0K+vH2eKmW3/vAT0O/X5l/7u8B1d8+3z/z44fbs8rSQ+AeBH+G+wsjV/VN
bJ4fhf4I4tpff7GB8dzegCw9Bn2GzfNf7c7T/J1F+wj0J6DnuT/k62V3OVbMAZxHoD8J/V+3vF+p
+TsH/jz0qDL/6v16pdk/OKzsGvstldcdVq9L/R67MqM9/lq/R90pRi0T6v3F+NiERzkPjE8c1F4d
HPcp2sTIMF8DT2f09DNDOE+peRj8l1Nr1HXtZOO9AD8x+LrI8/BsRl1NvbWrDvcF0Gfh/4m/+TXf
R+Ty7WwhSC9DfxH62esvpe5/59D+VeivQP/b9gB//6eP/9OYOJ9Af40dv3e+mbrfex38Jehv8DwE
+fkrofr7ztd/Wav0Z7PWbZKlt8G9CX6e+7ucYW+qt9lvxH0B9HcQ90vmc6sUfg/3twD9PejTpcc2
aP4+QPuPoH8I/dUmN7+u2tNzxOPrwfkEehL6zsoCi+bvE/BSJs4n3F+C35/pMxV/J57fwa8XsIg2
WbCOMsAZMnE+yWT+jJlW9fjPh56bif3T/AHnLfyf/MS+Db0AeoUzO3XdXYT2JujF0K+VHuXX6RgL
diRc10Mvgb6s4Z6lmr8y8OXQ5Ux+/WNQ1lGPr7a2WVlHfr/X0aKsnh0N13WOqDtJKxbSqEU95wz6
1avAkR4/XysVmey58Tp1nJHsBn4fPd7mmbjFL0tV6M+Mfi18nNWZ+1m2sU5s0K3w1z/ey5+rsFmr
QV6aoDew8ZiPL9fGaUf7LdCboR+znTLzeWBxsD4d0LdBv/6uL2zQxtkKvgN6W6Z4/t+p+nvlW3/P
z1d810b7XeCuAe/k/vZksl27GfPQBX0f4h7/2U/5/RabtU1YVy7oB1h/nS+k7pNvRPuboHdD/+TZ
If6cg82ax4L9H7ob+qqfbE0dz/3gvdAHMunz/9HDYzzzfX09tdrTtWZMiVLzOsb7lJkZ8Gxq8Kmv
7/bXTiizMTp4UL2+Ozzs4/MylIkcScPquJcU/0Dmx5fHcv0Yzqc+9D8KH34+7vHMnaMt+7swjwHo
R+D3hv96L39exrKEOZOOQT8K/–\R#¢\R#¢zEl"|E &

fPÀ,PFVzX++nauE+g/UnoQeiXHjTx/aHOWt9Y14jre+inoP/bi083aOMO
gT8N/W4+7hi/br5H9bfj5wH+XLlnZHD04HXYp8FNgb+f+7sv8wCbFqynB6BPI+5j/3Qbfx7RLFv5
PD4E/UHoFoMhdX0XRvtHoJ+Bvvq5uHJ88NMJru+hPwp9xbfzKzR/j4F/AvpZ7k/WKfdFtf5Rj3+U
ZXusr8anzMFk7WDvmHrmHLEMBgbVI2UAh5LPrz5p8zo8yhESQdwn1XH+c+UN9XRfPIf+nsLr5/k4
o5m7+b/Di30X+tPwd1/+Sr7e224dRWqw70KPQS97yLRYG+ezaD8L/SL0763JLuPva8s8M9KL0J+H
fubnX12ljfNl8K9An+PjtCvX9aq/0ndteu4Pu9FtyFMc3Gvg3+D+Xs/U1nUC+iXE7brzwlLl+moR
j/M29Deh37zfmaP5u4z270Cfh37n0uVLKP8e9Hehf/d0skbztwD+Q+gfcH/Tq/jzFdXf7m0zfF+s
l6z8feWPwSXBX+H+PkGNveOMfZd9aN+I/e97p/lzQL9kkfay5yvQDdA7Hr++OvV8BfcTudCzocfq
vsF5j9TCPxdQAD0fevvxJ5tSz1fAF0MvMvL3P8uU+7TGziMd7O+QzXlQORK18286zr99fC3w+68+
7d09z+HhgVH1SB603Dqiqv09fT183ZjQT4lRfd76pmsjzVsZ+l+B18uNbNyyUdPXQa+A342m23Mo
XwXdDP3ggi21bqrR3grdAj1rWWg95Rug26Dr36gu0sbdBL4Zup2Pm30zEvuy6u/2kb/n76PU8JnB
vgxuG/g27q/VaJE2SRvZPgy9A3F//sIWvh+VS9v5PO6Cfg309WXFNannLmi/D7oTesX5mSZ+3S/1
SePsOhx6F/T/aTme+jyFC3w39Bu5P/dKZV58Iz19LO/+sTE11709fYPqNdBAj6qxA1c9bnHgHlaP
5z2TdaN7PEo9MHhL7ciYwvRZcDjyObrJaOPjdat5WOb+Pn9/vk6y85XYDz+98OXleRgwNuKVRujD
0Ifg/+MvLb3qcxI+6KPQv/Dw9N\R#¢\R#¢2E$!ÄE &

fPÀ,Pù„1PvL4+j/RHofuhFdhN/P21CGpMG2HN06AHoOa2P1Wl5OAY+CP0E
zwP7pjD2adVf5sfn+fVzXdY4YmCfBncK/N3cX8hYl1UuHWD7MvTTiPv8x/+0SOEVf/dCn4L+Ulp/
6nr2PrSfhn4/9Bfual9O+QehPwD9mUUNG1PPYcCfgR7m/ti3pllOfSNjfX6e6d6eYUyHMi/smkSp
VW7tU8+FRyeHBpV5GK/Y7NeeRXkGh7f3qte211uUnfeR1HHxqDr+sjv9V+0/j8HHDPw8wcd/NsU/
CT0C3/FzL5ZR/hz0p6DPBmY2auOPov3T0M9D/3PP5ZWUj0F/Brr09R2p69gL4C9Cf1YZfwl/DqP6
e2vFS9xfF88e9m9wz4Of4/5eNtbxIwz7NfRXEPcvbn+SP2+1Y39j6zAO/TXoN7st9tRzGLS/BP0N
6NHCF/jzxONSNY//JvQE9E139Kaun94GPw/9Mvdn4v7eUf199Z57c5T57ZcOsv0b3LvgP+D+FoxM
Z87/N1nnHidFde376p6etmemGRoYmQZRawYGZpSB6qqu6m7A2DM8BFTkIQSRg12PKev9fmhpTPcw
IqAhQJRLjDEDPqKeJBdMYsTkmB58HDBegx7jjdEkgIkfNDk5xniNeXySu7p66DPc+wf96c+XtavW
3rVr1W+v2qvnU+CfwHF/sH1Fqm7vQkyFeA38M+AD0s6Gzv47tEdaQDcDjz80jNbt6/2PAY+2QD9/
+ExDR8RhbrUCT7SE739njL/vXoM6oUIdkpj6jND7/SFtfK3L2L5rj0dgZs7ieq4EjtPeUu+X9aep
4/O2Hl+mwvFT8P/TW8I8SUuN1/yfCTwN/jzTR+F1+wXI8lo8Bj4L+NrdzzfiFwrt5wDvBr6J//P4
8evPp17gc4H/5yyptZEnAfsFwOeH/ar9UgbE53H/bj44tfmC+Ax2ONjnQ/+olvN8CfBFcNwvrluc
mmhfBP454DOm/W12I08C7VcAXwb8njv2XzHRfjXwlcBnfzGxuJEnAfu1wNeE/tUShWG2nuMCTw/v
4HlXGer4GNf+kkD9KjBzUEXpqX/PzCf671pUt1h7/fJxixt7hJ7M/DrN9t81/nRctPz6gTXhdVoP
5/1RLed0US2/IIWfR8LPdKL2uS38fDT8TLbUPte31Np58Vr+ofZLKgcSYdo/zD+s7AzzOOPj2tlx
Q/PEeLUF+rcZvm8Lx3UrXPc1IWeAl2A83vn0v+r7N1rq8ZcHzgG/o4\R#¿TΏ!Ì:W
fPÀ-N\R#¿\R#¿T2E$‡Ì:W
fPÀ-Pšttett$#w#www$$##tteeetw#etw$#e$eettwew$twe#te##twt$$#e#e$#ew$ttte$t$t$etet#$$
4000
ee$e$twew##tte#t#tw$$e#tw#tt$e$##t$we#w$eee#e$#tt##t$weee#125345232w125345232e125345232t125345232e125345232t125345232$125345232t$125345232w125345232w125345232#125345232$125345232t125345232e125345232e125345232t125345232t125345232t125345232w$125345232t125345232e125345232t125345232t125345232t125345232w125345232e125345232t125345232w125345232te125345232#125345232#125345232w125345232w125345232w125345232t125345232#125345232w125345232t125345232e125345232w125345232e125345232t125345232$125345232te125345232$125345232t125345232##125345232$1253\R#¿\R#¿TêE܆SÌ:W
fPÀ-PžM45232e125345232e125345232ew125345232e125345232#t125345232e125345232e125345232t125345232e125345232w125345232##125345232$125345232e125345232t125345232$125345232w125345232$125345232w125345232w125345232w125345232e125345232w125345232e$125345232#125345232#125345232t125345232e125345232$125345232e125345232t125345232t125345232e125345232$e125345232#125345232$125345232w125345232e125345232w125345232e125345232w125345232w125345232t125345232w125345232w125345232w125345232t125345232e125345232#e125345232e125345232t125345232$125345232t125345232#125345232e125345232e125345232t125345232we125345232#125345232e125345232#125345232e125345232w125345232e125345232$e125345232e125345232t125345232#125345232e125345232e125345232e125345232wt125345–\R#¿\R#¿TzEl‡ÃÌ:W
fPÀ-P-ã232t125345232$125345232w125345232e125345232$125345232t125345232$125345232e125345232$125345232t125345232e125345232t125345232e125345232e125345232ew125345232w125345232w125345232e125345232w125345232t125345232et125345232t125345232t125345232e125345232e125345232e125345232e125345232t125345232w125345232e125345232t125345232e125345232e125345232#125345232t125345232te125345232e125345232t125345232e125345232t125345232ww125345232e125345232t125345232t125345232#125345232t125345232#125345232#125345232w#125345232w125345232#125345232w125345232e125345232te4\R#¿TÅÌ:W
fPÀ-N\R#¿\R#¿T2E$‡Ì:W
fPÀ-Pšttett$#w#www$$##tteeetw#etw$#e$eettwew$twe#te##twt$$#e#e$#ew$ttte$t$t$etet#$$
4000
ee$e$twew##tte#t#tw$$e#tw#tt$e$##t$we#w$eee#e$#tt##t$weee#125345232w125345232e125345232t125345232e125345232t125345232$125345232t$125345232w125345232w125345232#125345232$125345232t125345232e125345232e125345232t125345232t125345232t125345232w$125345232t125345232e125345232t125345232t125345232t125345232w125345232e125345232t125345232w125345232te125345232#125345232#125345232w125345232w125345232w125345232t125345232#125345232w125345232t125345232e125345232w125345232e125345232t125345232$125345232te125345232$125345232t125345232##125345232$1253\R#¿\R#¿TêE܆SÌ:W
fPÀ-PžM45232e125345232e125345232ew125345232e125345232#t125345232e125345232e125345232t125345232e125345232w125345232##125345232$125345232e125345232t125345232$125345232w125345232$125345232w125345232w125345232w125345232e125345232w125345232e$125345232#125345232#125345232t125345232e125345232$125345232e125345232t125345232t125345232e125345232$e125345232#125345232$125345232w125345232e125345232w125345232e125345232w125345232w125345232t125345232w125345232w125345232w125345232t125345232e125345232#e125345232e125345232t125345232$125345232t125345232#125345232e125345232e125345232t125345232we125345232#125345232e125345232#125345232e125345232w125345232e125345232$e125345232e125345232t125345232#125345232e125345232e125345232e125345232wt125345–\R#¿\R#¿TzEl‡ÃÌ:W
fPÀ-P-ã232t125345232$125345232w125345232e125345232$125345232t125345232$125345232e125345232$125345232t125345232e125345232t125345232e125345232e125345232ew125345232w125345232w125345232e125345232w125345232t125345232et125345232t125345232t125345232e125345232e125345232e125345232e125345232t125345232w125345232e125345232t125345232e125345232e125345232#125345232t125345232te125345232e125345232t125345232e125345232t125345232ww125345232e125345232t125345232t125345232#125345232t125345232#125345232#125345232w#125345232w125345232#125345232w125345232e125345232te4\R#¿T½8Ì:W
fPÀ-N\R#¿\R#¿T2E$‡Ì:W
fPÀ-Pšttett$#w#www$$##tteeetw#etw$#e$eettwew$twe#te##twt$$#e#e$#ew$ttte$t$t$etet#$$
4000
ee$e$twew##tte#t#tw$$e#tw#tt$e$##t$we#w$eee#e$#tt##t$weee#125345232w125345232e125345232t125345232e125345232t125345232$125345232t$125345232w125345232w125345232#125345232$125345232t125345232e125345232e125345232t125345232t125345232t125345232w$125345232t125345232e125345232t125345232t125345232t125345232w125345232e125345232t125345232w125345232te125345232#125345232#125345232w125345232w125345232w125345232t125345232#125345232w125345232t125345232e125345232w125345232e125345232t125345232$125345232te125345232$125345232t125345232##125345232$1253\R#¿\R#¿TêE܆SÌ:W
fPÀ-PžM45232e125345232e125345232ew125345232e125345232#t125345232e125345232e125345232t125345232e125345232w125345232##125345232$125345232e125345232t125345232$125345232w125345232$125345232w125345232w125345232w125345232e125345232w125345232e$125345232#125345232#125345232t125345232e125345232$125345232e125345232t125345232t125345232e125345232$e125345232#125345232$125345232w125345232e125345232w125345232e125345232w125345232w125345232t125345232w125345232w125345232w125345232t125345232e125345232#e125345232e125345232t125345232$125345232t125345232#125345232e125345232e125345232t125345232we125345232#125345232e125345232#125345232e125345232w125345232e125345232$e125345232e125345232t125345232#125345232e125345232e125345232e125345232wt125345–\R#¿\R#¿TzEl‡ÃÌ:W
fPÀ-P-ã232t125345232$125345232w125345232e125345232$125345232t125345232$125345232e125345232$125345232t125345232e125345232t125345232e125345232e125345232ew125345232w125345232w125345232e125345232w125345232t125345232et125345232t125345232t125345232e125345232e125345232e125345232e125345232t125345232w125345232e125345232t125345232e125345232e125345232#125345232t125345232te125345232e125345232t125345232e125345232t125345232ww125345232e

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-01-31-T-08-51-02-01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap.txt - (65238 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/31/2019 -- 08:51:02. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2806020      1        2        16088213     6.07   1        0        16088213    16088213.00 0.00        16088213.00
  2        2820158      1        2        37202536     14.04  131      0        11340667    283988.82   0.00        283988.82  
  3        2820157      1        2        27138079     10.24  131      0        6886799     207160.91   0.00        207160.91  
  4        2819664      1        2        31088266     11.73  146      0        6659860     212933.33   0.00        212933.33  
  5        2819930      1        2        23682664     8.94   146      0        331054      162210.03   0.00        162210.03  
  6        2020865      1        3        9707093      3.66   75       0        266739      129427.91   0.00        129427.91  
  7        2018342      1        2        1050621      0.40   9        0        205457      116735.67   0.00        116735.67  
  8        2807932      1        6        1450899      0.55   8        0        202740      181362.38   0.00        181362.38  
  9        2021433      1        2        888789       0.34   9        0        134241      98754.33    0.00        98754.33   
  10       2809747      1        2        132592       0.05   1        0        132592      132592.00   0.00        132592.00  
  11       2019344      1        5        625032       0.24   10       0        130188      62503.20    0.00        62503.20   
  12       2021434      1        2        893780       0.34   9        0        122773      99308.89    0.00        99308.89   
  13       2018358      1        7        882030       0.33   10       0        121948      88203.00    0.00        88203.00   
  14       2021432      1        2        868130       0.33   9        0        111753      96458.89    0.00        96458.89   
  15       2830701      1        1        765209       0.29   10       0        111370      76520.90    0.00        76520.90   
  16       2021586      1        3        867305       0.33   9        0        107430      96367.22    0.00        96367.22   
  17       2829644      1        1        159906       0.06   3        0        106504      53302.00    0.00        53302.00   
  18       2023476      1        5        739479       0.28   9        0        102208      82164.33    0.00        82164.33   
  19       2820600      1        2        458596       0.17   6        0        98016       76432.67    0.00        76432.67   
  20       2801929      1        7        533552       0.20   16       0        96021       33347.00    0.00        33347.00   
  21       2816940      1        2        714689       0.27   12       0        94952       59557.42    0.00        59557.42   
  22       2023875      1        2        339498       0.13   10       0        91044       33949.80    0.00        33949.80   
  23       2020388      1        8        330149       0.12   12       0        88878       27512.42    0.00        27512.42   
  24       2828008      1        2        619943       0.23   12       0        88682       51661.92    0.00        51661.92   
  25       2829607      1        1        128126       0.05   3        1        87753       42708.67    87753.00    20186.50   
  26       2801930      1        7        472977       0.18   16       0        86473       29561.06    0.00        29561.06   
  27       2816909      1        2        725598       0.27   12       0        86298       60466.50    0.00        60466.50   
  28       2803027      1        6        309401       0.12   17       0        83563       18200.06    0.00        18200.06   
  29       2016537      1        2        10865431     4.10   730      3        82819       14884.15    61826.67    14690.44   
  30       2821615      1        2        411940       0.16   13       0        81516       31687.69    0.00        31687.69   
  31       2827279      1        5        604936       0.23   12       0        81437       50411.33    0.00        50411.33   
  32       2816895      1        2        80769        0.03   1        0        80769       80769.00    0.00        80769.00   
  33       2814979      1        2        568916       0.21   9        0        79934       63212.89    0.00        63212.89   
  34       2815324      1        2        380434       0.14   10       0        77290       38043.40    0.00        38043.40   
  35       2022262      1        3        332679       0.13   10       0        74250       33267.90    0.00        33267.90   
  36       2018292      1        1        174047       0.07   37       0        72469       4703.97     0.00        4703.97    
  37       2008575      1        5        3074702      1.16   354      0        72108       8685.60     0.00        8685.60    
  38       2814978      1        2        559054       0.21   9        0        70679       62117.11    0.00        62117.11   
  39       2025064      1        5        484431       0.18   12       0        67799       40369.25    0.00        40369.25   
  40       2812916      1        6        348803       0.13   10       0        67319       34880.30    0.00        34880.30   
  41       2828060      1        4        378612       0.14   11       0        66676       34419.27    0.00        34419.27   
  42       2810481      1        4        2591460      0.98   130      0        66319       19934.31    0.00        19934.31   
  43       2826727      1        2        378084       0.14   6        0        66302       63014.00    0.00        63014.00   
  44       2022197      1        3        178282       0.07   5        0        66107       35656.40    0.00        35656.40   
  45       2804911      1        3        204119       0.08   20       0        64195       10205.95    0.00        10205.95   
  46       2816165      1        5        581505       0.22   15       0        64193       38767.00    0.00        38767.00   
  47       2023711      1        2        94749        0.04   12       0        63664       7895.75     0.00        7895.75    
  48       2802987      1        5        309275       0.12   26       0        63191       11895.19    0.00        11895.19   
  49       2816910      1        2        679377       0.26   12       0        62853       56614.75    0.00        56614.75   
  50       2021076      1        2        221011       0.08   12       0        62114       18417.58    0.00        18417.58   
  51       2822213      1        2        467201       0.18   9        0        61798       51911.22    0.00        51911.22   
  52       2018982      1        2        212383       0.08   4        0        61783       53095.75    0.00        53095.75   
  53       2022220      1        2        354898       0.13   10       0        60538       35489.80    0.00        35489.80   
  54       2804906      1        3        172927       0.07   15       0        60263       11528.47    0.00        11528.47   
  55       2815817      1        5        409568       0.15   12       0        59768       34130.67    0.00        34130.67   
  56       2803657      1        5        250887       0.09   22       0        59428       11403.95    0.00        11403.95   
  57       2816929      1        4        361930       0.14   12       0        59095       30160.83    0.00        30160.83   
  58       2018005      1        6        420747       0.16   9        0        57542       46749.67    0.00        46749.67   
  59       2013827      1        6        149048       0.06   4        0        57325       37262.00    0.00        37262.00   
  60       2017552      1        6        10421242     3.93   742      0        56419       14044.80    0.00        14044.80   
  61       2806802      1        2        6413584      2.42   317      0        55889       20232.13    0.00        20232.13   
  62       2022535      1        11       417528       0.16   9        0        55308       46392.00    0.00        46392.00   
  63       2024829      1        2        2569007      0.97   127      0        55100       20228.40    0.00        20228.40   
  64       2811447      1        2        975983       0.37   31       0        54999       31483.32    0.00        31483.32   
  65       2816327      1        4        446094       0.17   12       0        54995       37174.50    0.00        37174.50   
  66       2815568      1        2        54312        0.02   1        0        54312       54312.00    0.00        54312.00   
  67       2827575      1        2        381368       0.14   12       0        54207       31780.67    0.00        31780.67   
  68       2018959      1        3        85671        0.03   12       1        53746       7139.25     53746.00    2902.27    
  69       2022339      1        2        422990       0.16   10       0        53503       42299.00    0.00        42299.00   
  70       2819673      1        4        358315       0.14   12       0        53490       29859.58    0.00        29859.58   
  71       2828986      1        2        358783       0.14   11       0        53273       32616.64    0.00        32616.64   
  72       2021399      1        3        52978        0.02   1        0        52978       52978.00    0.00        52978.00   
  73       2008420      1        4        139243       0.05   29       0        51425       4801.48     0.00        4801.48    
  74       2018241      1        2        82148        0.03   12       0        51133       6845.67     0.00        6845.67    
  75       2014519      1        7        2295793      0.87   128      0        51074       17935.88    0.00        17935.88   
  76       2821839      1        2        93487        0.04   2        0        50949       46743.50    0.00        46743.50   
  77       2807400      1        3        161782       0.06   4        0        50906       40445.50    0.00        40445.50   
  78       2811701      1        2        338381       0.13   16       0        50643       21148.81    0.00        21148.81   
  79       2804907      1        3        115471       0.04   13       0        50608       8882.38     0.00        8882.38    
  80       2828122      1        2        338697       0.13   10       0        50206       33869.70    0.00        33869.70   
  81       2023315      1        2        353040       0.13   10       0        49902       35304.00    0.00        35304.00   
  82       2016538      1        3        79185        0.03   12       1        49055       6598.75     49055.00    2739.09    
  83       2018375      1        3        627633       0.24   45       0        48670       13947.40    0.00        13947.40   
  84       2022627      1        12       396469       0.15   9        0        48440       44052.11    0.00        44052.11   
  85       2821561      1        2        371464       0.14   10       0        48403       37146.40    0.00        37146.40   
  86       2019881      1        3        346077       0.13   10       0        48352       34607.70    0.00        34607.70   
  87       2826256      1        2        386940       0.15   15       0        48333       25796.00    0.00        25796.00   
  88       2804626      1        9        274936       0.10   12       0        47836       22911.33    0.00        22911.33   
  89       2805985      1        2        163676       0.06   4        0        47624       40919.00    0.00        40919.00   
  90       2830124      1        1        112087       0.04   3        0        47583       37362.33    0.00        37362.33   
  91       2013352      1        4        78057        0.03   12       0        47412       6504.75     0.00        6504.75    
  92       2022503      1        2        350400       0.13   10       0        46926       35040.00    0.00        35040.00   
  93       2018242      1        5        372690       0.14   10       0        46857       37269.00    0.00        37269.00   
  94       2008438      1        20       176761       0.07   4        0        46632       44190.25    0.00        44190.25   
  95       2823858      1        3        46500        0.02   1        0        46500       46500.00    0.00        46500.00   
  96       2826281      1        2        130801       0.05   6        0        46384       21800.17    0.00        21800.17   
  97       2014353      1        6        76767        0.03   12       0        46286       6397.25     0.00        6397.25    
  98       2024272      1        4        224543       0.08   10       0        46209       22454.30    0.00        22454.30   
  99       2001330      1        8        3170951      1.20   1057     0        46167       2999.95     0.00        2999.95    
  100      2823570      1        4        224680       0.08   10       0        45926       22468.00    0.00        22468.00   
  101      2808234      1        1        147174       0.06   4        0        45911       36793.50    0.00        36793.50   
  102      2804927      1        2        144580       0.05   20       0        45816       7229.00     0.00        7229.00    
  103      2018958      1        18       404617       0.15   10       0        45627       40461.70    0.00        40461.70   
  104      2009028      1        11       77184        0.03   12       0        45492       6432.00     0.00        6432.00    
  105      2022552      1        2        1651517      0.62   80       0        45397       20643.96    0.00        20643.96   
  106      2021067      1        2        179173       0.07   5        4        44743       35834.60    37100.50    30771.00   
  107      2807970      1        8        44131        0.02   1        0        44131       44131.00    0.00        44131.00   
  108      2017036      1        3        43895        0.02   1        0        43895       43895.00    0.00        43895.00   
  109      2022050      1        3        144699       0.05   4        0        43841       36174.75    0.00        36174.75   
  110      2019345      1        2        914657       0.35   61       0        43830       14994.38    0.00        14994.38   
  111      2020569      1        1        149519       0.06   4        0        43692       37379.75    0.00        37379.75   
  112      2820851      1        5        424592       0.16   12       0        43662       35382.67    0.00        35382.67   
  113      2024771      1        1        197442       0.07   11       0        43520       17949.27    0.00        17949.27   
  114      2816925      1        3        370387       0.14   12       0        43150       30865.58    0.00        30865.58   
  115      2016223      1        10       260019       0.10   10       0        43026       26001.90    0.00        26001.90   
  116      2016394      1        6        157095       0.06   7        0        42527       22442.14    0.00        22442.14   
  117      2816526      1        13       350199       0.13   12       0        42500       29183.25    0.00        29183.25   
  118      2003657      1        18       232208       0.09   10       0        42334       23220.80    0.00        23220.80   
  119      2816328      1        5        344952       0.13   12       0        42265       28746.00    0.00        28746.00   
  120      2022053      1        2        218431       0.08   12       0        42190       18202.58    0.00        18202.58   
  121      2820031      1        2        296005       0.11   10       0        42078       29600.50    0.00        29600.50   
  122      2804096      1        9        190899       0.07   12       0        41835       15908.25    0.00        15908.25   
  123      2020657      1        2        41834        0.02   1        1        41834       41834.00    41834.00    0.00       
  124      2009897      1        14       130467       0.05   4        0        41761       32616.75    0.00        32616.75   
  125      2022203      1        2        1

This file has been truncated. Go here to download in full.


stats.log - (3300 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
------------------------------------------------------------------------------------
Date: 1/31/2019 -- 08:51:02 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 3170
decoder.bytes                              | Total                     | 2626984
decoder.ipv4                               | Total                     | 3170
decoder.ethernet                           | Total                     | 3170
decoder.tcp                                | Total                     | 3158
decoder.udp                                | Total                     | 12
decoder.avg_pkt_size                       | Total                     | 828
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 34
flow.udp                                   | Total                     | 6
tcp.sessions                               | Total                     | 34
tcp.syn                                    | Total                     | 66
tcp.synack                                 | Total                     | 18
tcp.rst                                    | Total                     | 35
detect.alert                               | Total                     | 4
detect.mpm_list                            | Total                     | 2
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 3
app_layer.flow.http                        | Total                     | 9
app_layer.tx.http                          | Total                     | 15
app_layer.flow.tls                         | Total                     | 9
app_layer.flow.dns_udp                     | Total                     | 6
app_layer.tx.dns_udp                       | Total                     | 6
flow_mgr.closed_pruned                     | Total                     | 3
flow_mgr.new_pruned                        | Total                     | 16
flow_mgr.est_pruned                        | Total                     | 5
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 40
flow_mgr.flows_notimeout                   | Total                     | 6
flow_mgr.flows_timeout                     | Total                     | 34
flow_mgr.flows_timeout_inuse               | Total                     | 10
flow_mgr.flows_removed                     | Total                     | 24
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65496
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7085824


eve.json - (24400 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{"timestamp":"2019-01-30T22:22:25.763353+0000","flow_id":1715189345002969,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.30.102","src_port":55548,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41251,"rrname":"npbina.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T22:22:25.830468+0000","flow_id":1715189345002969,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.102","dest_port":55548,"proto":"UDP","dns":{"type":"answer","id":41251,"rcode":"NOERROR","rrname":"npbina.com","rrtype":"A","ttl":14399,"rdata":"69.160.38.10"}}
{"timestamp":"2019-01-30T22:22:26.060978+0000","flow_id":2166094339088312,"pcap_cnt":9,"event_type":"http","src_ip":"10.1.30.102","src_port":49196,"dest_ip":"69.160.38.10","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"npbina.com","url":"\/Details\/012019","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:22:26.064708+0000","flow_id":2166094339088312,"pcap_cnt":11,"event_type":"fileinfo","src_ip":"69.160.38.10","src_port":80,"dest_ip":"10.1.30.102","dest_port":49196,"proto":"TCP","http":{"hostname":"npbina.com","url":"\/Details\/012019","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/npbina.com\/Details\/012019\/","length":241},"app_proto":"http","fileinfo":{"filename":"\/Details\/012019","gaps":false,"state":"CLOSED","stored":false,"size":241,"tx_id":0}}
{"timestamp":"2019-01-30T22:22:26.327683+0000","flow_id":2166094339088312,"pcap_cnt":57,"event_type":"alert","src_ip":"69.160.38.10","src_port":80,"dest_ip":"10.1.30.102","dest_port":49196,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2020657,"rev":2,"signature":"ET TROJAN Possible malicious Office doc hidden in XML file","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-30T22:22:26.454991+0000","flow_id":2166094339088312,"pcap_cnt":263,"event_type":"http","src_ip":"10.1.30.102","src_port":49196,"dest_ip":"69.160.38.10","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"npbina.com","url":"\/Details\/012019\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml"}}
{"timestamp":"2019-01-30T22:22:31.511032+0000","flow_id":2166094339088312,"pcap_cnt":264,"event_type":"fileinfo","src_ip":"69.160.38.10","src_port":80,"dest_ip":"10.1.30.102","dest_port":49196,"proto":"TCP","http":{"hostname":"npbina.com","url":"\/Details\/012019\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":195350},"app_proto":"http","fileinfo":{"filename":"eFILE_Details.doc","gaps":false,"state":"CLOSED","stored":false,"size":195148,"tx_id":1}}
{"timestamp":"2019-01-30T22:22:55.072681+0000","flow_id":1892161326881769,"pcap_cnt":268,"event_type":"dns","src_ip":"10.1.30.102","src_port":65460,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60484,"rrname":"labtcompany.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T22:22:55.115063+0000","flow_id":1892161326881769,"pcap_cnt":269,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.102","dest_port":65460,"proto":"UDP","dns":{"type":"answer","id":60484,"rcode":"NOERROR","rrname":"labtcompany.com","rrtype":"A","ttl":10426,"rdata":"204.11.58.87"}}
{"timestamp":"2019-01-30T22:22:55.178124+0000","flow_id":1258275693651984,"pcap_cnt":276,"event_type":"http","src_ip":"10.1.30.102","src_port":49197,"dest_ip":"204.11.58.87","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"labtcompany.com","url":"\/kixeNn1wNu","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:22:55.178234+0000","flow_id":1258275693651984,"pcap_cnt":277,"event_type":"fileinfo","src_ip":"204.11.58.87","src_port":80,"dest_ip":"10.1.30.102","dest_port":49197,"proto":"TCP","http":{"hostname":"labtcompany.com","url":"\/kixeNn1wNu","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"http:\/\/labtcompany.com\/kixeNn1wNu\/","length":242},"app_proto":"http","fileinfo":{"filename":"\/kixeNn1wNu","gaps":false,"state":"CLOSED","stored":false,"size":242,"tx_id":0}}
{"timestamp":"2019-01-30T22:22:55.262740+0000","flow_id":1258275693651984,"pcap_cnt":319,"event_type":"alert","src_ip":"204.11.58.87","src_port":80,"dest_ip":"10.1.30.102","dest_port":49197,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2018959,"rev":3,"signature":"ET POLICY PE EXE or DLL Windows file download HTTP","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2019-01-30T22:22:55.262740+0000","flow_id":1258275693651984,"pcap_cnt":319,"event_type":"alert","src_ip":"204.11.58.87","src_port":80,"dest_ip":"10.1.30.102","dest_port":49197,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2016538,"rev":3,"signature":"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2019-01-30T22:22:55.262740+0000","flow_id":1258275693651984,"pcap_cnt":319,"event_type":"alert","src_ip":"204.11.58.87","src_port":80,"dest_ip":"10.1.30.102","dest_port":49197,"proto":"TCP","app_proto":"http","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2014520,"rev":6,"signature":"ET INFO EXE - Served Attached HTTP","category":"Misc activity","severity":3}}
{"timestamp":"2019-01-30T22:22:55.372238+0000","flow_id":1258275693651984,"pcap_cnt":808,"event_type":"http","src_ip":"10.1.30.102","src_port":49197,"dest_ip":"204.11.58.87","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"labtcompany.com","url":"\/kixeNn1wNu\/","http_content_type":"application\/octet-stream"}}
{"timestamp":"2019-01-30T22:24:01.558299+0000","flow_id":2053394403510079,"pcap_cnt":836,"event_type":"http","src_ip":"10.1.30.102","src_port":49204,"dest_ip":"201.175.70.250","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"201.175.70.250","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"}}
{"timestamp":"2019-01-30T22:24:01.558299+0000","flow_id":2053394403510079,"pcap_cnt":836,"event_type":"fileinfo","src_ip":"201.175.70.250","src_port":443,"dest_ip":"10.1.30.102","dest_port":49204,"proto":"TCP","http":{"hostname":"201.175.70.250","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_method":"GET","protocol":"HTTP\/1.1","status":0,"length":569},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":569,"tx_id":0}}
{"timestamp":"2019-01-30T22:28:30.465771+0000","flow_id":22993725834698,"pcap_cnt":889,"event_type":"http","src_ip":"10.1.30.102","src_port":49215,"dest_ip":"189.137.139.190","dest_port":50000,"proto":"TCP","tx_id":0,"http":{"hostname":"189.137.139.190","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:28:39.362344+0000","flow_id":595128470556817,"pcap_cnt":1196,"event_type":"http","src_ip":"10.1.30.102","src_port":49218,"dest_ip":"72.47.248.48","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:28:39.405981+0000","flow_id":595128470556817,"pcap_cnt":1198,"event_type":"fileinfo","src_ip":"72.47.248.48","src_port":8080,"dest_ip":"10.1.30.102","dest_port":49218,"proto":"TCP","http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237172},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":237172,"tx_id":0}}
{"timestamp":"2019-01-30T22:28:39.966681+0000","flow_id":595128470556817,"pcap_cnt":1200,"event_type":"http","src_ip":"10.1.30.102","src_port":49218,"dest_ip":"72.47.248.48","dest_port":8080,"proto":"TCP","tx_id":1,"http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:28:42.936226+0000","flow_id":595128470556817,"pcap_cnt":1201,"event_type":"fileinfo","src_ip":"72.47.248.48","src_port":8080,"dest_ip":"10.1.30.102","dest_port":49218,"proto":"TCP","http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":148},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":148,"tx_id":1}}
{"timestamp":"2019-01-30T22:33:59.449907+0000","flow_id":273703876681075,"pcap_cnt":1205,"event_type":"dns","src_ip":"10.1.30.102","src_port":63859,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35340,"rrname":"matchippsi.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T22:33:59.779859+0000","flow_id":273703876681075,"pcap_cnt":1206,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.102","dest_port":63859,"proto":"UDP","dns":{"type":"answer","id":35340,"rcode":"NOERROR","rrname":"matchippsi.com","rrtype":"A","ttl":599,"rdata":"95.47.161.68"}}
{"timestamp":"2019-01-30T22:34:00.396021+0000","flow_id":1865717256811789,"pcap_cnt":1213,"event_type":"tls","src_ip":"10.1.30.102","src_port":49219,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:02.076047+0000","flow_id":1139330912946226,"pcap_cnt":1249,"event_type":"tls","src_ip":"10.1.30.102","src_port":49225,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:02.080405+0000","flow_id":526686040425599,"pcap_cnt":1254,"event_type":"tls","src_ip":"10.1.30.102","src_port":49221,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:02.080718+0000","flow_id":184005632263991,"pcap_cnt":1256,"event_type":"tls","src_ip":"10.1.30.102","src_port":49224,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:02.080971+0000","flow_id":889692381316510,"pcap_cnt":1258,"event_type":"tls","src_ip":"10.1.30.102","src_port":49222,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:03.030529+0000","flow_id":1603329114835132,"pcap_cnt":1339,"event_type":"tls","src_ip":"10.1.30.102","src_port":49226,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:03.063466+0000","flow_id":947375939585772,"pcap_cnt":1441,"event_type":"tls","src_ip":"10.1.30.102","src_port":49223,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:34:03.862501+0000","flow_id":1023877897201957,"pcap_cnt":1837,"event_type":"dns","src_ip":"10.1.30.102","src_port":63317,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47186,"rrname":"decretery.host","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T22:34:04.113835+0000","flow_id":1023877897201957,"pcap_cnt":1954,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.102","dest_port":63317,"proto":"UDP","dns":{"type":"answer","id":47186,"rcode":"NOERROR","rrname":"decretery.host","rrtype":"A","ttl":599,"rdata":"95.47.161.68"}}
{"timestamp":"2019-01-30T22:39:01.525788+0000","flow_id":160314612319708,"pcap_cnt":2138,"event_type":"dns","src_ip":"10.1.30.102","src_port":60720,"dest_ip":"10.1.30.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47990,"rrname":"decretery.host","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-30T22:39:01.526063+0000","flow_id":160314612319708,"pcap_cnt":2139,"event_type":"dns","src_ip":"10.1.30.1","src_port":53,"dest_ip":"10.1.30.102","dest_port":60720,"proto":"UDP","dns":{"type":"answer","id":47990,"rcode":"NOERROR","rrname":"decretery.host","rrtype":"A","ttl":301,"rdata":"95.47.161.68"}}
{"timestamp":"2019-01-30T22:39:02.286647+0000","flow_id":1710763446439973,"pcap_cnt":2146,"event_type":"tls","src_ip":"10.1.30.102","src_port":49235,"dest_ip":"95.47.161.68","dest_port":443,"proto":"TCP","tls":{"subject":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org","issuerdn":"C=US, ST=OR, O=flush's Medellin, OU=unseen obliques, CN=cortisone.org"}}
{"timestamp":"2019-01-30T22:43:06.870518+0000","flow_id":755861235961181,"pcap_cnt":3092,"event_type":"http","src_ip":"10.1.30.102","src_port":49236,"dest_ip":"72.47.248.48","dest_port":8080,"proto":"TCP","tx_id":0,"http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2019-01-30T22:43:06.935428+0000","flow_id":755861235961181,"pcap_cnt":3094,"event_type":"fileinfo","src_ip":"72.47.248.48","src_port":8080,"dest_ip":"10.1.30.102","dest_port":49236,"proto":"TCP","http":{"hostname":"72.47.248.48","url":"\/","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":752740},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":752740,"tx_id":0}}
{"timestamp":"2019-01-30T22:43:07.609453+0000","flow_id":755861235961181,"pcap_cnt":3106,"event_type":"http","src_ip":"10.1.30.102","src_port":49236,"dest_ip":"72.47.248.48","dest_port":8080,"proto":"TCP","tx_id":1,"http":{"hostname":"72.47.248.48","url":"\/","http_user_agent"

This file has been truncated. Go here to download in full.


keyword_perf.log - (15200 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/31/2019 -- 08:51:02
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             20056696        4610            4610            6146665         4350.00         4350.00         0.00           
  content          109521236       5233            2311            16052664        20928.00        13734.00        26618.00       
  pcre             4361092         1146            176             27921           3805.00         4728.00         3638.00        
  byte_test        596280          178             46              28008           3349.00         3620.00         3255.00        
  byte_jump        142969          33              13              30693           4332.00         4228.00         4400.00        
  isdataat         17864           6               0               3481            2977.00         0.00            2977.00        
  flowbits         1668624         592             37              15667           2818.00         3402.00         2779.00        
  urilen           992451          316             56              28523           3140.00         3107.00         3147.00        
  byte_extract     133669          48              36              3603            2784.00         2729.00         2951.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             20056696        4610            4610            6146665         4350.00         4350.00         0.00           
  flowbits         1625519         583             28              15667           2788.00         2956.00         2779.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7340547         1628            612             56896           4508.00         4493.00         4518.00        
  pcre             374800          96              54              21070           3904.00         3279.00         4707.00        
  byte_test        596280          178             46              28008           3349.00         3620.00         3255.00        
  byte_jump        106681          26              6               30693           4103.00         3113.00         4400.00        
  isdataat         17864           6               0               3481            2977.00         0.00            2977.00        
  byte_extract     133669          48              36              3603            2784.00         2729.00         2951.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         43105           9               9               7649            4789.00         4789.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          438775          125             46              6032            3510.00         3832.00         3322.00        
  pcre             345517          78              13              17163           4429.00         4430.00         4429.00        
  urilen           992451          316             56              28523           3140.00         3107.00         3147.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          46369           11              0               15737           4215.00         0.00            4215.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          95252565        1824            467             16052664        52221.00        51477.00        52477.00       
  pcre             2561113         786             0               22749           3258.00         0.00            3258.00        
  byte_jump        36288           7               7               18150           5184.00         5184.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4501075         1114            872             47048           4040.00         4038.00         4048.00        
  pcre             890838          152             76              27921           5860.00         5463.00         6258.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          289201          81              53              16042           3570.00         3810.00         3115.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          75778           22              22              4419            3444.00         3444.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_start
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          44203           9               9               16254           4911.00         4911.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_raw_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3848            1               0               3848            3848.00         0.00            3848.00        
  pcre             6500            1               0               6500            6500.00         0.00            6500.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          305078          69              34              83235           4421.00         5894.00         2990.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             76769           9               9               25867           8529.00         8529.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1093145         308             195             17397           3549.00         3730.00         3236.00        
  pcre             105555          24              24              5752            4398.00         4398.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_msg
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3383            1               0               3383            3383.00         0.00            3383.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          100141          31              1               4037            3230.00         3888.00         3208.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27128           9               0               3736            3014.00         0.00            3014.00        


suricata-4.0.0-etpro-all-alert-2019-01-31-T-08-51-02-01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap.txt - (848 bytes) - download
1
2
3
4
01/30/2019-22:22:26.327683  [**] [1:2020657:2] ET TROJAN Possible malicious Office doc hidden in XML file [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 69.160.38.10:80 -> 10.1.30.102:49196
01/30/2019-22:22:55.262740  [**] [1:2018959:3] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 204.11.58.87:80 -> 10.1.30.102:49197
01/30/2019-22:22:55.262740  [**] [1:2016538:3] ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 204.11.58.87:80 -> 10.1.30.102:49197
01/30/2019-22:22:55.262740  [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 204.11.58.87:80 -> 10.1.30.102:49197


IDSDeathBlossom.py.log - (1179 bytes) - download
1
2
3
4
5
6
7
8
2019-01-31 08:50:40,615 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-31 08:50:41,329 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-31 08:50:41,329 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-31 08:50:41,330 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-31 08:50:41,330 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-31 08:50:41,330 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/e77c792636255f8285d7139a5b41953156b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01312019.0850-2019-01-30-Emotet-infection-with-IcedID.pcap -vvv -k none
2019-01-31 08:51:02,255 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-31 08:51:02,255 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 21.6479389668