Filename: 33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 29.2555060387 seconds
Hash: ea2f6cf49138b205e155f659e19dc0c5
Uploaded: 1568214885

Logfiles


suricata-4.0.0-etpro-all-alert-2019-09-11-T-15-15-14-09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap.txt - (204 bytes) - download
1
10/30/2018-10:14:54.868520  [**] [1:2827462:2] ETPRO TROJAN Win32.Agent.bjswlh CnC Beacon [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.100.152:50779 -> 58.64.209.84:80


packet_stats.log - (15847 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6            20          9155698       83410594      61642867          1.2b   29.56
 IPv4      17            53          8016050       81353674      39989074          2.1b   50.82
 IPv6      17            15          7442350       83748088      44271216        664.1m   15.92
 IPv6      58             2         76435650       77876172      77155911        154.3m    3.70
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6            20           147848        6638280       1007351         20.1m   23.33
TMM_FLOWWORKER              IPv4      17            53           206076       21213132       1085877         57.6m   66.65
TMM_RECEIVEPCAPFILE         IPv4       6            16             4442           5528          4847         77.6k    0.09
TMM_RECEIVEPCAPFILE         IPv4      17            53             4428          22950          5411        286.8k    0.33
TMM_DECODEPCAPFILE          IPv4       6            16             4566          25130          7265        116.3k    0.13
TMM_DECODEPCAPFILE          IPv4      17            53             4572           7840          5181        274.6k    0.32
TMM_FLOWWORKER              IPv6      17            15           191506         845818        435270          6.5m    7.56
TMM_FLOWWORKER              IPv6      58             2           513142         593454        553298          1.1m    1.28
TMM_RECEIVEPCAPFILE         IPv6      17            15             4446           9168          5198         78.0k    0.09
TMM_RECEIVEPCAPFILE         IPv6      58             2             4466           4752          4609          9.2k    0.01
TMM_DECODEPCAPFILE          IPv6      17            15             4598          72898          9583        143.8k    0.17
TMM_DECODEPCAPFILE          IPv6      58             2             4830          22126         13478         27.0k    0.03

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6            16             5010           8554          6062         97.0k  0.12  
flow                    IPv4      17            53             4798          80446          8091        428.8k  0.55  
stream                  IPv4       6            20             7288         807282        116396          2.3m  2.98  
app-layer               IPv4      17            53             4472          69296          9415        499.0k  0.64  
detect                  IPv4       6            20            79664        5909996        813269         16.3m  20.82 
detect                  IPv4      17            53           178002       21072736        978795         51.9m  66.40 
tcp-prune               IPv4       6            20             4504          20082          6143        122.9k  0.16  
flow                    IPv6      17            15             4808          54578         13876        208.1k  0.27  
flow                    IPv6      58             2             7226          37842         22534         45.1k  0.06  
app-layer               IPv6      17            15             4448         440248         39930        599.0k  0.77  
detect                  IPv6      17            15           161938         794742        330087          5.0m  6.34  
detect                  IPv6      58             2           141664         563512        352588        705.2k  0.90  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             2             9102          67816         38459         76.9k  57.90 
dns                     IPv4      17             4            10122          21396         13983         55.9k  42.10 
Proto detect            IPv4       6             4             6474          17828          9771         39.1k
Proto detect            IPv4      17            11             4718          33056         11661        128.3k
Proto detect            IPv6      17             6             5408         430284         82012        492.1k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             1           134084         134084        134084        134.1k  3.94  
LOGGER_UNIFIED2             IPv4       6             1           119990         119990        119990        120.0k  3.52  
LOGGER_JSON_ALERT           IPv4       6             1           149392         149392        149392        149.4k  4.39  
LOGGER_JSON_DNS             IPv4      17             4            57432        1884132        669535          2.7m  78.65 
LOGGER_JSON_HTTP            IPv4       6             2            83586         105352         94469        188.9k  5.55  
LOGGER_JSON_FILE            IPv4       6             2            55078          79344         67211        134.4k  3.95  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6             6             4808        1445408        279317         1.7m  20.34 
payload                           IPv4      17            53             5482         865258         72879         3.9m  46.89 
stream                            IPv4       6             6             4516         857870        181823         1.1m  13.24 
http_uri                          IPv4       6             2            33578          50804         42191        84.4k  1.02  
http_request_line                 IPv4       6             2             7378          11760          9569        19.1k  0.23  
http_client_body                  IPv4       6             2            11678          26448         19063        38.1k  0.46  
http_header (request)             IPv4       6             2            82466         131372        106919       213.8k  2.60  
http_header (request trailer)     IPv4       6             2             4580           4586          4583         9.2k  0.11  
http_header_names (request)       IPv4       6             2            17902          30574         24238        48.5k  0.59  
http_accept (request)             IPv4       6             2             5164          30572         17868        35.7k  0.43  
http_referer (request)            IPv4       6             2             4964           5776          5370        10.7k  0.13  
http_content_len (request)        IPv4       6             2             7040           8098          7569        15.1k  0.18  
http_content_type (request)       IPv4       6             2             5614           6598          6106        12.2k  0.15  
http_protocol (request)           IPv4       6             2             7252           7656          7454        14.9k  0.18  
http_start (request)              IPv4       6             2            13198          23042         18120        36.2k  0.44  
http_raw_header (request)         IPv4       6             2            18112          23148         20630        41.3k  0.50  
http_method                       IPv4       6             2             8222           9166          8694        17.4k  0.21  
http_cookie (request)             IPv4       6             2             5818           7666          6742        13.5k  0.16  
http_raw_uri                      IPv4       6             2             6260           7690          6975        13.9k  0.17  
http_user_agent                   IPv4       6             2            21300          40462         30881        61.8k  0.75  
http_host                         IPv4       6             2            10400          32548         21474        42.9k  0.52  
dns_query                         IPv4      17             2            17496          19874         18685        37.4k  0.45  
Total                             IPv4                   103                                         71803         7.4m
payload                           IPv6      17            15             5196         498698         54484       817.3k  9.92  
payload                           IPv6      58             2             7136          17812         12474        24.9k  0.30  
Total                             IPv6                    17                                         49542       842.2k

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             4            14816          80518         48690        194.8k  0.24  
PROF_DETECT_IPONLY          IPv4      17            11            43756         516924        110415          1.2m  1.49  
PROF_DETECT_RULES           IPv4       6            20             4482        4267264        457652          9.2m  11.25 
PROF_DETECT_RULES           IPv4      17            53            77052       20891050        682054         36.1m  44.42 
PROF_DETECT_STATEFUL_START    IPv4       6             2          1653480        2078170       1865825          3.7m  4.59  
PROF_DETECT_STATEFUL_CONT    IPv4       6            20             4514          22864          8423        168.5k  0.21  
PROF_DETECT_STATEFUL_CONT    IPv4      17            53             4394          63488          6511        345.1k  0.42  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            10             4504           6510          4901         49.0k  0.06  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             4             4784           6638          5629         22.5k  0.03  
PROF_DETECT_PREFILTER       IPv4       6            20            14212        1514416        219133          4.4m  5.38  
PROF_DETECT_PREFILTER       IPv4      17            53            41708         904184        146972          7.8m  9.57  
PROF_DETECT_PF_PAYLOAD      IPv4       6             6            45284        1469732        476842          2.9m  3.52  
PROF_DETECT_PF_PAYLOAD      IPv4      17            53            14366         874606         82723          4.4m  5.39  
PROF_DETECT_PF_TX           IPv4       6            10             4812         553048         98128        981.3k  1.21  
PROF_DETECT_PF_TX           IPv4      17             2            27102          30420         28761         57.5k  0.07  
PROF_DETECT_PF_SORT1        IPv4       6             6             5060          13480          8355         50.1k  0.06  
PROF_DETECT_PF_SORT1        IPv4      17            53             4484         465458         22544          1.2m  1.47  
PROF_DETECT_PF_SORT2        IPv4       6            20             4438          18974          6423        128.5k  0.16  
PROF_DETECT_PF_SORT2        IPv4      17            53             4450          19662          5669        300.5k  0.37  
PROF_DETECT_NONMPMLIST      IPv4       6            20             4506           7308          5248        105.0k  0.13  
PROF_DETECT_NONMPMLIST      IPv4      17            53             4518           8458          5054        267.9k  0.33  
PROF_DETECT_ALERT           IPv4       6            20             4512          42376          7681        153.6k  0.19  
PROF_DETECT_ALERT           IPv4      17            53             4426           7704          5046        267.5k  0.33  
PROF_DETECT_CLEANUP         IPv4       6            20             4616          14400          5982        119.6k  0.15  
PROF_DETECT_CLEANUP         IPv4      17            53             4412         845928         22316          1.2m  1.45  
PROF_DETECT_GETSGH          IPv4       6            20             4420          16882          6440        128.8k  0.16  
PROF_DETECT_GETSGH          IPv4      17            53             4632         109288          8124        430.6k  0.53  
PROF_DETECT_IPONLY          IPv6      17             6             5318          37288         13011         78.1k  0.10  
PROF_DETECT_IPONLY          IPv6      58             1            11418          11418         11418         11.4k  0.01  
PROF_DETECT_RULES           IPv6      17            15            58698         381692        118814          1.8m  2.19  
PROF_DETECT_RULES           IPv6      58             2             4608         440114        222361        444.7k  0.55  
PROF_DETECT_STATEFUL_CONT    IPv6      17            15             4394           6320          4742         71.1k  0.09  
PROF_DETECT_STATEFUL_CONT    IPv6      58             2             4672           4812          4742          9.5k  0.01  
PROF_DETECT_PREFILTER       IPv6      17            15            41782         547868         94440          1.4m  1.74  
PROF_DETECT_PREFILTER       IPv6      58             2            47260          52184         49722         99.4k  0.12  
PROF_DETECT_PF_PAYLOAD      IPv6      17            15            14278         509490         63862        957.9k  1.18  
PROF_DETECT_PF_PAYLOAD      IPv6      58             2            16354          26952         21653         43.3k  0.05  
PROF_DETECT_PF_SORT1        IPv6      17            15             4654           8630          5267         79.0k  0.10  
PROF_DETECT_PF_SORT2        IPv6      17            15             4446          12840          5548         83.2k  0.10  
PROF_DETECT_PF_SORT2        IPv6      58             2             4644           4676          4660          9.3k  0.01  
PROF_DETECT_NONMPMLIST      IPv6      17            15             4430           5760          4813         72.2k  0.09  
PROF_DETECT_NONMPMLIST      IPv6      58             2             4680           4824          4752          9.5k  0.01  
PROF_DETECT_ALERT           IPv6      17            15             4446          22710          6210         93.2k  0.11  
PROF_DETECT_ALERT           IPv6      58             2             5146           5726          5436         10.9k  0.01  
PROF_DETECT_CLEANUP         IPv6      17            15             4440           7602          5318         79.8k  0.10  
PROF_DETECT_CLEANUP         IPv6      58             2             6718           6988          6853         13.7k  0.02  
PROF_DETECT_GETSGH          IPv6      17            15             4648          57820         12740        191.1k  0.23  
PROF_DETECT_GETSGH          IPv6      58             2             7330           9402          8366         16.7k  0.02  


suricata-report-2019-09-11-T-15-15-14-09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap.txt - (17707 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ea2f6cf49138b205e155f659e19dc0c556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap -vvv -k none
elapsedtime:27.995343
stderr:
stdout:
11/9/2019 -- 15:14:46 - <Info> - Configuration node 'rule-files' redefined.
11/9/2019 -- 15:14:46 - <Notice> - This is Suricata version 4.0.0 RELEASE
11/9/2019 -- 15:14:46 - <Info> - CPUs/cores online: 1
11/9/2019 -- 15:14:46 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 33623 and 'request-body-inspect-window' set to 16549 after randomization.
11/9/2019 -- 15:14:46 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33150 and 'response-body-inspect-window' set to 16411 after randomization.
11/9/2019 -- 15:14:46 - <Config> - DNS request flood protection level: 500
11/9/2019 -- 15:14:46 - <Config> - DNS per flow memcap (state-memcap): 524288
11/9/2019 -- 15:14:46 - <Config> - DNS global memcap: 16777216
11/9/2019 -- 15:14:46 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/9/2019 -- 15:14:46 - <Config> - preallocated 1000 hosts of size 136
11/9/2019 -- 15:14:46 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
11/9/2019 -- 15:14:46 - <Config> - using magic-file /usr/share/file/magic
11/9/2019 -- 15:14:46 - <Config> - Core dump size is unlimited.
11/9/2019 -- 15:14:46 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
11/9/2019 -- 15:14:46 - <Config> - preallocated 1000 defrag trackers of size 168
11/9/2019 -- 15:14:46 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
11/9/2019 -- 15:14:46 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/9/2019 -- 15:14:46 - <Config> - stream "memcap": 33554432
11/9/2019 -- 15:14:46 - <Config> - stream "midstream" session pickups: disabled
11/9/2019 -- 15:14:46 - <Config> - stream "async-oneside": disabled
11/9/2019 -- 15:14:46 - <Config> - stream "checksum-validation": disabled
11/9/2019 -- 15:14:46 - <Config> - stream."inline": disabled
11/9/2019 -- 15:14:46 - <Config> - stream "bypass": disabled
11/9/2019 -- 15:14:46 - <Config> - stream "max-synack-queued": 5
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly "memcap": 134217728
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly "depth": 0
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly "toserver-chunk-size": 2518
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly "toclient-chunk-size": 2614
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly.raw: enabled
11/9/2019 -- 15:14:46 - <Config> - stream.reassembly "segment-prealloc": 2048
11/9/2019 -- 15:14:46 - <Config> - Delayed detect disabled
11/9/2019 -- 15:14:46 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/9/2019 -- 15:14:46 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/9/2019 -- 15:14:46 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/9/2019 -- 15:14:46 - <Config> - prefilter engines: MPM
11/9/2019 -- 15:14:46 - <Config> - IP reputation disabled
11/9/2019 -- 15:14:46 - <Perf> - Registered 148 keyword profiling counters.
11/9/2019 -- 15:14:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
11/9/2019 -- 15:14:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
11/9/2019 -- 15:14:46 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
11/9/2019 -- 15:14:53 - <Config> - No rules loaded from ET-icmp.rules.
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
11/9/2019 -- 15:14:53 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
11/9/2019 -- 15:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
11/9/2019 -- 15:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
11/9/2019 -- 15:14:54 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
11/9/2019 -- 15:14:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
11/9/2019 -- 15:14:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
11/9/2019 -- 15:14:57 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
11/9/2019 -- 15:14:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
11/9/2019 -- 15:14:59 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
11/9/2019 -- 15:15:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
11/9/2019 -- 15:15:02 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
11/9/2019 -- 15:15:02 - <Config> - No rules loaded from local.rules.
11/9/2019 -- 15:15:02 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
11/9/2019 -- 15:15:02 - <Info> - Threshold config parsed: 0 rule(s) found
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tcp-packet
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tcp-stream
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for udp-packet
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for other-ip
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_uri
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_request_line
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_client_body
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_response_line
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_header
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_header
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_header_names
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_header_names
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_accept
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_accept_enc
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_accept_lang
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_referer
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_connection
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_content_len
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_content_len
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_content_type
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_content_type
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_protocol
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_protocol
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_start
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_start
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_raw_header
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_raw_header
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_method
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_cookie
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_cookie
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_raw_uri
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_user_agent
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_host
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_raw_host
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_stat_msg
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_stat_code
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for dns_query
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tls_sni
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for dce_stub_data
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for dce_stub_data
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for ssh_protocol
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for ssh_protocol
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for ssh_software
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for ssh_software
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for file_data
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for file_data
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_request_line
11/9/2019 -- 15:15:03 - <Perf> - using shared mpm ctx' for http_response_line
11/9/2019 -- 15:15:03 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
11/9/2019 -- 15:15:03 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/9/2019 -- 15:15:03 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
11/9/2019 -- 15:15:03 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
11/9/2019 -- 15:15:03 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/9/2019 -- 15:15:03 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
11/9/2019 -- 15:15:03 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
11/9/2019 -- 15:15:03 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
11/9/2019 -- 15:15:09 - <Perf> - Unique rule groups: 104
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toserver TCP packet": 35
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toclient TCP packet": 17
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toserver TCP stream": 33
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toclient TCP stream": 19
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toserver UDP packet": 27
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "toclient UDP packet": 17
11/9/2019 -- 15:15:09 - <Perf> - Builtin MPM "other IP packet": 3
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_uri": 14
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_request_line": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_client_body": 6
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_response_line": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_header": 10
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_header": 6
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_header_names": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_accept": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_referer": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_content_len": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_content_type": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_content_type": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_protocol": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_start": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_method": 5
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_cookie": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_cookie": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver http_host": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver dns_query": 4
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver tls_sni": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toserver file_data": 1
11/9/2019 -- 15:15:09 - <Perf> - AppLayer MPM "toclient file_data": 7
11/9/2019 -- 15:15:13 - <Perf> - Registered 39590 rule profiling counters.
11/9/2019 -- 15:15:13 - <Info> - fast output device (regular) initialized: alert
11/9/2019 -- 15:15:13 - <Info> - eve-log output device (regular) initialized: eve.json
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'alert'
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'http'
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'dns'
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'tls'
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'files'
11/9/2019 -- 15:15:13 - <Config> - enabling 'eve-log' module 'ssh'
11/9/2019 -- 15:15:13 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
11/9/2019 -- 15:15:13 - <Info> - stats output device (regular) initialized: stats.log
11/9/2019 -- 15:15:13 - <Config> - AutoFP mode using "Hash" flow load balancer
11/9/2019 -- 15:15:13 - <Info> - reading pcap file /var/pcap/09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap
11/9/2019 -- 15:15:13 - <Config> - us

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-perf.txt-2019-09-11-T-15-15-14-09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap.txt - (19670 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 9/11/2019 -- 15:15:14. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2805348      1        4        2003534      11.29  13       0        512768      154118.00   0.00        154118.00  
  2        2013739      1        15       733342       4.13   59       0        453172      12429.53    0.00        12429.53   
  3        2019016      1        3        512370       2.89   14       0        449528      36597.86    0.00        36597.86   
  4        2802205      1        3        501064       2.82   14       0        434788      35790.29    0.00        35790.29   
  5        2019011      1        3        498624       2.81   14       0        431578      35616.00    0.00        35616.00   
  6        2023626      1        3        698410       3.94   51       0        428920      13694.31    0.00        13694.31   
  7        2019010      1        3        488300       2.75   13       0        425314      37561.54    0.00        37561.54   
  8        2023622      1        3        735266       4.14   67       0        421658      10974.12    0.00        10974.12   
  9        2010143      1        3        600572       3.39   61       0        298662      9845.44     0.00        9845.44    
  10       2827462      1        2        323388       1.82   2        2        203716      161694.00   161694.00   0.00       
  11       2017666      1        11       181626       1.02   2        0        117870      90813.00    0.00        90813.00   
  12       2822979      1        3        194970       1.10   2        0        107240      97485.00    0.00        97485.00   
  13       2019668      1        2        147666       0.83   2        0        98510       73833.00    0.00        73833.00   
  14       2811273      1        6        146090       0.82   2        0        92260       73045.00    0.00        73045.00   
  15       2811276      1        7        140708       0.79   2        0        87754       70354.00    0.00        70354.00   
  16       2815475      1        6        141136       0.80   2        0        87324       70568.00    0.00        70568.00   
  17       2018361      1        11       135110       0.76   2        0        87000       67555.00    0.00        67555.00   
  18       2811278      1        7        86106        0.49   1        0        86106       86106.00    0.00        86106.00   
  19       2815477      1        6        139142       0.78   2        0        85856       69571.00    0.00        69571.00   
  20       2801347      1        5        109988       0.62   8        0        76780       13748.50    0.00        13748.50   
  21       2815748      1        2        146468       0.83   2        0        74156       73234.00    0.00        73234.00   
  22       2811275      1        8        141512       0.80   2        0        73320       70756.00    0.00        70756.00   
  23       2815476      1        6        125592       0.71   2        0        72462       62796.00    0.00        62796.00   
  24       2019501      1        2        125190       0.71   2        0        71610       62595.00    0.00        62595.00   
  25       2018359      1        3        134314       0.76   2        0        69658       67157.00    0.00        67157.00   
  26       2828123      1        2        127756       0.72   2        0        69552       63878.00    0.00        63878.00   
  27       2815750      1        2        122996       0.69   2        0        68750       61498.00    0.00        61498.00   
  28       2816660      1        3        118606       0.67   2        0        66668       59303.00    0.00        59303.00   
  29       2815480      1        6        119778       0.68   2        0        66476       59889.00    0.00        59889.00   
  30       2019358      1        11       109322       0.62   2        0        63488       54661.00    0.00        54661.00   
  31       2019457      1        13       122348       0.69   2        0        62562       61174.00    0.00        61174.00   
  32       2811274      1        7        114942       0.65   2        0        62218       57471.00    0.00        57471.00   
  33       2827505      1        2        100102       0.56   2        0        62208       50051.00    0.00        50051.00   
  34       2815479      1        6        61662        0.35   1        0        61662       61662.00    0.00        61662.00   
  35       2811279      1        7        104976       0.59   2        0        61396       52488.00    0.00        52488.00   
  36       2815749      1        2        114624       0.65   2        0        60970       57312.00    0.00        57312.00   
  37       2022016      1        2        106776       0.60   2        0        60204       53388.00    0.00        53388.00   
  38       2016759      1        1        114948       0.65   2        0        60168       57474.00    0.00        57474.00   
  39       2816356      1        2        108342       0.61   2        0        60040       54171.00    0.00        54171.00   
  40       2019209      1        12       107958       0.61   2        0        59334       53979.00    0.00        53979.00   
  41       2010142      1        4        347754       1.96   61       0        56572       5700.89     0.00        5700.89    
  42       2022073      1        2        98494        0.56   2        0        55618       49247.00    0.00        49247.00   
  43       2804626      1        9        88936        0.50   2        0        54546       44468.00    0.00        44468.00   
  44       2014380      1        4        158696       0.89   4        0        54540       39674.00    0.00        39674.00   
  45       2815753      1        2        108052       0.61   2        0        54480       54026.00    0.00        54026.00   
  46       2815752      1        2        53902        0.30   1        0        53902       53902.00    0.00        53902.00   
  47       2023083      1        2        98142        0.55   2        0        53824       49071.00    0.00        49071.00   
  48       2022074      1        3        95762        0.54   2        0        51870       47881.00    0.00        47881.00   
  49       2826256      1        2        97336        0.55   2        0        51806       48668.00    0.00        48668.00   
  50       2827279      1        5        100776       0.57   2        0        51740       50388.00    0.00        50388.00   
  51       2816471      1        2        88666        0.50   2        0        51504       44333.00    0.00        44333.00   
  52       2827294      1        2        86918        0.49   2        0        50916       43459.00    0.00        43459.00   
  53       2022543      1        1        80138        0.45   2        0        49542       40069.00    0.00        40069.00   
  54       2017902      1        4        82936        0.47   2        0        49318       41468.00    0.00        41468.00   
  55       2025087      1        2        94782        0.53   2        0        48796       47391.00    0.00        47391.00   
  56       2809464      1        2        92154        0.52   2        0        48024       46077.00    0.00        46077.00   
  57       2023583      1        4        89350        0.50   2        0        46296       44675.00    0.00        44675.00   
  58       2816857      1        2        81312        0.46   2        0        45946       40656.00    0.00        40656.00   
  59       2010140      1        7        498000       2.81   61       0        45068       8163.93     0.00        8163.93    
  60       2014703      1        9        78102        0.44   4        0        42080       19525.50    0.00        19525.50   
  61       2807559      1        2        122108       0.69   4        0        41350       30527.00    0.00        30527.00   
  62       2826281      1        2        65658        0.37   2        0        39496       32829.00    0.00        32829.00   
  63       2014701      1        12       84752        0.48   4        0        37314       21188.00    0.00        21188.00   
  64       2816165      1        5        71946        0.41   2        0        36834       35973.00    0.00        35973.00   
  65       2827580      1        7        71046        0.40   2        0        36692       35523.00    0.00        35523.00   
  66       2009702      1        5        82528        0.47   4        0        36462       20632.00    0.00        20632.00   
  67       2022502      1        4        70718        0.40   2        0        36426       35359.00    0.00        35359.00   
  68       2017552      1        6        69638        0.39   2        0        35980       34819.00    0.00        34819.00   
  69       2022914      1        1        68404        0.39   3        0        35788       22801.33    0.00        22801.33   
  70       2828190      1        2        70348        0.40   2        0        35764       35174.00    0.00        35174.00   
  71       2017703      1        3        68256        0.38   2        0        35742       34128.00    0.00        34128.00   
  72       2828008      1        2        68938        0.39   2        0        35658       34469.00    0.00        34469.00   
  73       2809465      1        2        69714        0.39   2        0        35646       34857.00    0.00        34857.00   
  74       2025088      1        2        68338        0.39   2        0        35596       34169.00    0.00        34169.00   
  75       2808851      1        4        67940        0.38   2        0        34816       33970.00    0.00        33970.00   
  76       2017731      1        3        69286        0.39   2        0        34730       34643.00    0.00        34643.00   
  77       2808852      1        4        67992        0.38   2        0        34680       33996.00    0.00        33996.00   
  78       2017967      1        3        67188        0.38   2        0        34240       33594.00    0.00        33594.00   
  79       2017695      1        4        66076        0.37   2        0        33418       33038.00    0.00        33038.00   
  80       2811542      1        1        68812        0.39   4        0        32514       17203.00    0.00        17203.00   
  81       2803760      1        3        53344        0.30   2        0        26756       26672.00    0.00        26672.00   
  82       2014957      1        1        43324        0.24   2        0        26402       21662.00    0.00        21662.00   
  83       2807856      1        2        41448        0.23   2        0        25124       20724.00    0.00        20724.00   
  84       2811534      1        1        85754        0.48   4        0        24724       21438.50    0.00        21438.50   
  85       2815451      1        2        81454        0.46   4        0        24526       20363.50    0.00        20363.50   
  86       2014702      1        9        58190        0.33   4        0        24148       14547.50    0.00        14547.50   
  87       2103239      1        4        22886        0.13   1        0        22886       22886.00    0.00        22886.00   
  88       2103158      1        6        37670        0.21   4        0        21174       9417.50     0.00        9417.50    
  89       2023624      1        3        265294       1.50   52       0        21062       5101.81     0.00        5101.81    
  90       2805211      1        1        46648        0.26   3        0        15986       15549.33    0.00        15549.33   
  91       2008116      1        4        84142        0.47   14       0        9772        6010.14     0.00        6010.14    
  92       2809536      1        1        14444        0.08   2        0        9026        7222.00     0.00        7222.00    
  93       2810792      1        5        13052        0.07   2        0        8318        6526.00     0.00        6526.00    
  94       2802822      1        1        73960        0.42   14       0        8264        5282.86     0.00        5282.86    
  95       2812497      1        1        24664        0.14   4        0        8194        6166.00     0.00        6166.00    
  96       2008120      1        4        306900       1.73   63       0        7840        4871.43     0.00        4871.43    
  97       2802823      1        1        42952        0.24   8        0        7782        5369.00     0.00        5369.00    
  98       2009243      1        2        86692        0.49   17       0        7518        5099.53     0.00        5099.53    
  99       2025200      1        1        23664        0.13   4        0        7458        5916.00     0.00        5916.00    
  100      2025401      1        2        35052        0.20   6        0        7394        5842.00     0.00        5842.00    
  101      2023623      1        3        174236       0.98   36       0        7338        4839.89     0.00        4839.89    
  102      2019017      1        3        65832        0.37   13       0        7214        5064.00     0.00        5064.00    
  103      2828876      1        1        33854        0.19   6        0        7108        5642.33     0.00        5642.33    
  104      2016323      1        1        29632        0.17   5        0        6976        5926.40     0.00        5926.40    
  105      2008118      1        3        86998        0.49   17       0        6966        5117.53     0.00        5117.53    
  106      2102523      1        8        11736        0.07   2        0        6722        5868.00     0.00        5868.00    
  107      2810798      1        5        11864        0.07   2        0        6648        5932.00     0.00        5932.00    
  108      2810793      1        5        11456        0.06   2        0        6516        5728.00     0.00        5728.00    
  109      2100518      1        8        69396        0.39   14       0        6354        4956.86     0.00        4956.86    
  110      2008119      1        3        40406        0.23   8        0        6350        5050.75     0.00        5050.75    
  111      2023627      1        3        184492       1.04   37       0        6346        4986.27     0.00        4986.27    
  112      2811445      1        4        12094        0.07   2        0        6266        6047.00     0.00        6047.00    
  113      2008117      1        3        70340        0.40   14       0        6194        5024.29     0.00        5024.29    
  114      2009387      1        4        6054         0.03   1        0        6054        6054.00     0.00        6054.00    
  115      2823788      1        4        11412        0.06   2        0        5994        5706.00     0.00        5706.00    
  116      2023625      1        3        217026       1.22   46       0        5980        4717.96     0.00        4717.96    
  117      2804587      1        2        11030        0.06   2        0        5764        5515.00     0.00        5515.00    
  118      2008306      1        3        21502        0.12   4        0        5724        5375.50     0.00        5375.50    
  119      2102523      1        8        10520        0.06   2        0        5594        5260.00     0.00        5260.00    
  120      2016363      1        2        25622        0.14   5        0        5504        5124.40     0.00        5124.40    
  121      2013075      1        8        10022        0.06   2        0        5498        5011.00     0.00        5011.00    
  122      2022132      1        1        10700        0.06   2        0        5460        5350.00     0.00        5350.00    
  123      2827604      1        2        10768        0.06   2        0        5450        5384.00     0.00        5384.00    
  124      2019235      1        1        5440         0.03   1        0        5440        5440.00     0.00        5440.00    
  125      2807546      1        6        1

This file has been truncated. Go here to download in full.


stats.log - (3060 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
------------------------------------------------------------------------------------
Date: 9/11/2019 -- 15:15:14 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 129
decoder.bytes                              | Total                     | 12379
decoder.ipv4                               | Total                     | 69
decoder.ipv6                               | Total                     | 17
decoder.ethernet                           | Total                     | 129
decoder.tcp                                | Total                     | 16
decoder.udp                                | Total                     | 68
decoder.icmpv6                             | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 95
decoder.max_pkt_size                       | Total                     | 387
flow.tcp                                   | Total                     | 2
flow.udp                                   | Total                     | 15
flow.icmpv6                                | Total                     | 1
tcp.sessions                               | Total                     | 2
tcp.syn                                    | Total                     | 2
tcp.synack                                 | Total                     | 2
tcp.rst                                    | Total                     | 2
detect.alert                               | Total                     | 1
detect.mpm_list                            | Total                     | 11
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 12
app_layer.tx.http                          | Total                     | 2
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 13
flow.spare                                 | Total                     | 9984
flow_mgr.flows_checked                     | Total                     | 10
flow_mgr.flows_notimeout                   | Total                     | 10
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65526
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074304


eve.json - (3838 bytes) - download
1
2
3
4
5
6
7
8
9
{"timestamp":"2018-10-30T10:14:23.651069+0000","flow_id":208319587282749,"pcap_cnt":73,"event_type":"dns","src_ip":"192.168.100.152","src_port":57709,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54520,"rrname":"clouds.googleupdating.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-10-30T10:14:23.989861+0000","flow_id":208319587282749,"pcap_cnt":75,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.152","dest_port":57709,"proto":"UDP","dns":{"type":"answer","id":54520,"rcode":"NOERROR","rrname":"clouds.googleupdating.net","rrtype":"A","ttl":299,"rdata":"58.64.209.84"}}
{"timestamp":"2018-10-30T10:14:54.002130+0000","flow_id":1271832948639826,"pcap_cnt":118,"event_type":"dns","src_ip":"192.168.100.152","src_port":62422,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10421,"rrname":"cloud.googleupdating.net","rrtype":"A","tx_id":0}}
{"timestamp":"2018-10-30T10:14:54.358149+0000","flow_id":1271832948639826,"pcap_cnt":119,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.152","dest_port":62422,"proto":"UDP","dns":{"type":"answer","id":10421,"rcode":"NOERROR","rrname":"cloud.googleupdating.net","rrtype":"A","ttl":299,"rdata":"58.64.209.84"}}
{"timestamp":"2018-10-30T10:14:54.868520+0000","flow_id":2183650210642428,"event_type":"alert","src_ip":"192.168.100.152","src_port":50779,"dest_ip":"58.64.209.84","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827462,"rev":2,"signature":"ETPRO TROJAN Win32.Agent.bjswlh CnC Beacon","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-10-30T10:14:54.868520+0000","flow_id":2183650210642428,"event_type":"http","src_ip":"192.168.100.152","src_port":50779,"dest_ip":"58.64.209.84","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"cloud.googleupdating.net","url":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/54\/005D5BE700004823","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:33.0) Gecko\/20100101 Firefox\/33.0"}}
{"timestamp":"2018-10-30T10:14:54.868520+0000","flow_id":2183650210642428,"event_type":"fileinfo","src_ip":"192.168.100.152","src_port":50779,"dest_ip":"58.64.209.84","dest_port":80,"proto":"TCP","http":{"hostname":"cloud.googleupdating.net","url":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/54\/005D5BE700004823","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:33.0) Gecko\/20100101 Firefox\/33.0","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/54\/005D5BE700004823","gaps":false,"state":"CLOSED","stored":false,"size":36,"tx_id":0}}
{"timestamp":"2018-10-30T10:14:54.868520+0000","flow_id":637700352782542,"event_type":"http","src_ip":"192.168.100.152","src_port":50327,"dest_ip":"58.64.209.84","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"clouds.googleupdating.net","url":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/24\/005CE55F00000029","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:33.0) Gecko\/20100101 Firefox\/33.0"}}
{"timestamp":"2018-10-30T10:14:54.868520+0000","flow_id":637700352782542,"event_type":"fileinfo","src_ip":"192.168.100.152","src_port":50327,"dest_ip":"58.64.209.84","dest_port":80,"proto":"TCP","http":{"hostname":"clouds.googleupdating.net","url":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/24\/005CE55F00000029","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:33.0) Gecko\/20100101 Firefox\/33.0","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","fileinfo":{"filename":"\/60094121\/0000090800000DC4\/2018\/10\/30\/10\/14\/24\/005CE55F00000029","gaps":false,"state":"CLOSED","stored":false,"size":36,"tx_id":0}}


keyword_perf.log - (9496 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 9/11/2019 -- 15:15:14
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             646556          115             115             24694           5622.00         5622.00         0.00           
  threshold        32594           2               1               23990           16297.00        23990.00        8604.00        
  content          2012524         261             143             432520          7710.00         6428.00         9264.00        
  pcre             588744          45              2               48564           13083.00        8335.00         13304.00       
  byte_test        366994          63              47              34662           5825.00         5996.00         5323.00        
  byte_jump        76438           13              13              14180           5879.00         5879.00         0.00           
  isdataat         10574           2               0               5324            5287.00         0.00            5287.00        
  urilen           228554          45              31              7338            5078.00         5098.00         5036.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             646556          115             115             24694           5622.00         5622.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1091086         112             58              432520          9741.00         6341.00         13393.00       
  pcre             45856           3               0               26296           15285.00        0.00            15285.00       
  byte_test        366994          63              47              34662           5825.00         5996.00         5323.00        
  byte_jump        76438           13              13              14180           5879.00         5879.00         0.00           
  isdataat         10574           2               0               5324            5287.00         0.00            5287.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: threshold
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  threshold        32594           2               1               23990           16297.00        23990.00        8604.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          539312          87              55              43126           6198.00         6646.00         5429.00        
  pcre             474510          38              0               48564           12487.00        0.00            12487.00       
  urilen           228554          45              31              7338            5078.00         5098.00         5036.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          25650           4               2               7966            6412.00         5870.00         6955.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          209384          32              16              7884            6543.00         6658.00         6428.00        
  pcre             51708           2               0               35362           25854.00        0.00            25854.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33436           6               2               6784            5572.00         5505.00         5606.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          21486           4               4               6472            5371.00         5371.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_cookie
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             16670           2               2               9280            8335.00         8335.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          92170           16              6               7150            5760.00         5851.00         5706.00        


unified2.alert.1568214913 - (580 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
4[Ø/
@¨+$ÆÀ¨d˜:@ÑTÆ[P[Ø/[Ø/
@¨tEtˆ¯À¨d˜:@ÑTÆ[PPz3POST /60094121/0000090800000DC4/2018/10/30/10/14/54/005D5BE700004823 HTTP/1.1
Host: cloud.googleupdating.net
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 36
Cookie: 1075855396
Connection: keep-alive
Proxy-Connection: keep-alive

h[Ø/[Ø/
@¨LEL‰×À¨d˜:@ÑTÆ[PPès60094121


IDSDeathBlossom.py.log - (1175 bytes) - download
1
2
3
4
5
6
7
8
2019-09-11 15:14:45,386 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-09-11 15:14:46,355 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-09-11 15:14:46,355 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-09-11 15:14:46,356 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-09-11 15:14:46,356 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-09-11 15:14:46,357 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ea2f6cf49138b205e155f659e19dc0c556b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09112019.1514-33d1c14e-ec07-4660-bde7-9848b7b7f9b4.pcap -vvv -k none
2019-09-11 15:15:14,355 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-09-11 15:15:14,356 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 28.982544899