1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 | --------------------------------------------------------------------------
Date: 2/11/2019 -- 12:42:41. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2019010 1 3 177356 1.90 22 0 119165 8061.64 0.00 8061.64
2 2023476 1 5 98534 1.06 1 0 98534 98534.00 0.00 98534.00
3 2019832 1 4 97819 1.05 1 0 97819 97819.00 0.00 97819.00
4 2019833 1 7 86208 0.92 1 0 86208 86208.00 0.00 86208.00
5 2021946 1 2 86129 0.92 1 0 86129 86129.00 0.00 86129.00
6 2816909 1 2 77584 0.83 1 0 77584 77584.00 0.00 77584.00
7 2805348 1 4 726757 7.79 16 0 73488 45422.31 0.00 45422.31
8 2827279 1 5 97393 1.04 2 0 71878 48696.50 0.00 48696.50
9 2828060 1 4 63151 0.68 1 0 63151 63151.00 0.00 63151.00
10 2828008 1 2 114211 1.22 2 0 62121 57105.50 0.00 57105.50
11 2019343 1 3 59440 0.64 1 1 59440 59440.00 59440.00 0.00
12 2023818 1 2 58386 0.63 1 1 58386 58386.00 58386.00 0.00
13 2822213 1 2 57625 0.62 1 0 57625 57625.00 0.00 57625.00
14 2018005 1 6 56762 0.61 1 0 56762 56762.00 0.00 56762.00
15 2816910 1 2 55732 0.60 1 0 55732 55732.00 0.00 55732.00
16 2816940 1 2 55165 0.59 1 0 55165 55165.00 0.00 55165.00
17 2814978 1 2 52412 0.56 1 0 52412 52412.00 0.00 52412.00
18 2814979 1 2 50864 0.55 1 0 50864 50864.00 0.00 50864.00
19 2821561 1 2 46703 0.50 1 0 46703 46703.00 0.00 46703.00
20 2022535 1 11 46620 0.50 1 0 46620 46620.00 0.00 46620.00
21 2816895 1 2 44585 0.48 1 0 44585 44585.00 0.00 44585.00
22 2022627 1 12 44318 0.48 1 0 44318 44318.00 0.00 44318.00
23 2020855 1 3 41535 0.45 1 0 41535 41535.00 0.00 41535.00
24 2816931 1 3 40877 0.44 1 0 40877 40877.00 0.00 40877.00
25 2824408 1 2 40798 0.44 1 0 40798 40798.00 0.00 40798.00
26 2025064 1 5 39468 0.42 1 0 39468 39468.00 0.00 39468.00
27 2825063 1 2 39338 0.42 1 0 39338 39338.00 0.00 39338.00
28 2816327 1 4 38251 0.41 1 0 38251 38251.00 0.00 38251.00
29 2827575 1 2 37024 0.40 1 0 37024 37024.00 0.00 37024.00
30 2820851 1 5 36489 0.39 1 0 36489 36489.00 0.00 36489.00
31 2823166 1 3 35740 0.38 1 0 35740 35740.00 0.00 35740.00
32 2816525 1 10 35687 0.38 1 0 35687 35687.00 0.00 35687.00
33 2816356 1 2 35122 0.38 1 0 35122 35122.00 0.00 35122.00
34 2023462 1 2 34948 0.37 1 1 34948 34948.00 34948.00 0.00
35 2024601 1 2 34390 0.37 1 0 34390 34390.00 0.00 34390.00
36 2024771 1 1 34260 0.37 1 0 34260 34260.00 0.00 34260.00
37 2018457 1 1 34239 0.37 1 0 34239 34239.00 0.00 34239.00
38 2815664 1 3 34014 0.36 1 0 34014 34014.00 0.00 34014.00
39 2816165 1 5 55743 0.60 2 0 33467 27871.50 0.00 27871.50
40 2828986 1 2 32084 0.34 1 0 32084 32084.00 0.00 32084.00
41 2815817 1 5 31489 0.34 1 0 31489 31489.00 0.00 31489.00
42 2023626 1 3 245550 2.63 79 0 31477 3108.23 0.00 3108.23
43 2816927 1 3 31320 0.34 1 0 31320 31320.00 0.00 31320.00
44 2816924 1 4 31150 0.33 1 0 31150 31150.00 0.00 31150.00
45 2816922 1 5 30889 0.33 1 0 30889 30889.00 0.00 30889.00
46 2023916 1 2 30817 0.33 1 0 30817 30817.00 0.00 30817.00
47 2816925 1 3 30522 0.33 1 0 30522 30522.00 0.00 30522.00
48 2816928 1 3 30288 0.32 1 0 30288 30288.00 0.00 30288.00
49 2013739 1 15 302108 3.24 101 0 29560 2991.17 0.00 2991.17
50 2819673 1 4 29501 0.32 1 0 29501 29501.00 0.00 29501.00
51 2809850 1 2 29225 0.31 1 0 29225 29225.00 0.00 29225.00
52 2807878 1 2 29057 0.31 1 0 29057 29057.00 0.00 29057.00
53 2816526 1 13 28713 0.31 1 0 28713 28713.00 0.00 28713.00
54 2020496 1 2 28567 0.31 1 0 28567 28567.00 0.00 28567.00
55 2014702 1 9 83485 0.89 8 0 28562 10435.62 0.00 10435.62
56 2821615 1 2 28454 0.30 1 0 28454 28454.00 0.00 28454.00
57 2012612 1 16 51206 0.55 2 0 28177 25603.00 0.00 25603.00
58 2829848 1 2 27993 0.30 1 0 27993 27993.00 0.00 27993.00
59 2816929 1 4 27477 0.29 1 0 27477 27477.00 0.00 27477.00
60 2816328 1 5 27201 0.29 1 0 27201 27201.00 0.00 27201.00
61 2816930 1 4 26647 0.29 1 0 26647 26647.00 0.00 26647.00
62 2023316 1 2 24943 0.27 1 0 24943 24943.00 0.00 24943.00
63 2009702 1 5 98597 1.06 8 0 24309 12324.62 0.00 12324.62
64 2828190 1 2 23757 0.25 1 0 23757 23757.00 0.00 23757.00
65 2811740 1 2 23547 0.25 1 0 23547 23547.00 0.00 23547.00
66 2022502 1 4 23269 0.25 1 0 23269 23269.00 0.00 23269.00
67 2802876 1 3 23138 0.25 1 0 23138 23138.00 0.00 23138.00
68 2014701 1 12 97892 1.05 8 0 22911 12236.50 0.00 12236.50
69 2007880 1 7 22530 0.24 1 0 22530 22530.00 0.00 22530.00
70 2816669 1 4 22379 0.24 1 0 22379 22379.00 0.00 22379.00
71 2826256 1 2 43703 0.47 2 0 22370 21851.50 0.00 21851.50
72 2023624 1 3 235399 2.52 77 0 22239 3057.13 0.00 3057.13
73 2816857 1 2 22154 0.24 1 0 22154 22154.00 0.00 22154.00
74 2804626 1 9 22047 0.24 1 0 22047 22047.00 0.00 22047.00
75 2830036 1 1 21969 0.24 1 0 21969 21969.00 0.00 21969.00
76 2017552 1 6 84964 0.91 5 0 21397 16992.80 0.00 16992.80
77 2806659 1 4 21231 0.23 1 0 21231 21231.00 0.00 21231.00
78 2018667 1 3 20889 0.22 1 0 20889 20889.00 0.00 20889.00
79 2829625 1 2 20673 0.22 1 0 20673 20673.00 0.00 20673.00
80 2016537 1 2 50394 0.54 3 0 20353 16798.00 0.00 16798.00
81 2019230 1 2 57443 0.62 6 0 19831 9573.83 0.00 9573.83
82 2824636 1 2 19357 0.21 1 0 19357 19357.00 0.00 19357.00
83 2022543 1 1 61955 0.66 4 0 17708 15488.75 0.00 15488.75
84 2826281 1 2 65263 0.70 4 0 17470 16315.75 0.00 16315.75
85 2008120 1 4 304696 3.27 109 0 16768 2795.38 0.00 2795.38
86 2809132 1 1 16765 0.18 1 0 16765 16765.00 0.00 16765.00
87 2803760 1 3 65362 0.70 4 0 16678 16340.50 0.00 16340.50
88 2827147 1 2 16102 0.17 1 0 16102 16102.00 0.00 16102.00
89 2802990 1 5 26801 0.29 2 0 16006 13400.50 0.00 13400.50
90 2809433 1 2 15958 0.17 1 0 15958 15958.00 0.00 15958.00
91 2812337 1 3 15833 0.17 1 0 15833 15833.00 0.00 15833.00
92 2010140 1 7 299951 3.21 105 0 15669 2856.68 0.00 2856.68
93 2809667 1 2 15653 0.17 1 0 15653 15653.00 0.00 15653.00
94 2013382 1 3 15564 0.17 1 0 15564 15564.00 0.00 15564.00
95 2822483 1 3 15391 0.16 1 0 15391 15391.00 0.00 15391.00
96 2025114 1 1 15212 0.16 1 0 15212 15212.00 0.00 15212.00
97 2024513 1 5 15087 0.16 1 0 15087 15087.00 0.00 15087.00
98 2828331 1 3 15085 0.16 1 0 15085 15085.00 0.00 15085.00
99 2819934 1 2 15007 0.16 1 0 15007 15007.00 0.00 15007.00
100 2815824 1 2 14936 0.16 1 0 14936 14936.00 0.00 14936.00
101 2816932 1 2 14908 0.16 1 0 14908 14908.00 0.00 14908.00
102 2014703 1 9 70307 0.75 8 0 14842 8788.38 0.00 8788.38
103 2823937 1 13 14816 0.16 1 0 14816 14816.00 0.00 14816.00
104 2010142 1 4 282973 3.03 105 0 14789 2694.98 0.00 2694.98
105 2820803 1 4 14748 0.16 1 0 14748 14748.00 0.00 14748.00
106 2811544 1 1 51282 0.55 6 0 14742 8547.00 0.00 8547.00
107 2821753 1 3 14734 0.16 1 0 14734 14734.00 0.00 14734.00
108 2816395 1 3 14703 0.16 1 0 14703 14703.00 0.00 14703.00
109 2811577 1 2 52482 0.56 6 0 14689 8747.00 0.00 8747.00
110 2820364 1 5 14654 0.16 1 0 14654 14654.00 0.00 14654.00
111 2826043 1 4 14597 0.16 1 0 14597 14597.00 0.00 14597.00
112 2811542 1 1 42625 0.46 3 0 14588 14208.33 0.00 14208.33
113 2825236 1 2 14549 0.16 1 0 14549 14549.00 0.00 14549.00
114 2025005 1 13 14541 0.16 1 0 14541 14541.00 0.00 14541.00
115 2815823 1 2 14306 0.15 1 0 14306 14306.00 0.00 14306.00
116 2815451 1 2 24995 0.27 2 0 14258 12497.50 0.00 12497.50
117 2807531 1 3 24106 0.26 2 0 13857 12053.00 0.00 12053.00
118 2023622 1 3 231190 2.48 83 0 13505 2785.42 0.00 2785.42
119 2016179 1 2 51289 0.55 15 0 13501 3419.27 0.00 3419.27
120 2100518 1 8 96909 1.04 33 0 7585 2936.64 0.00 2936.64
121 2810793 1 5 8147 0.09 2 0 5566 4073.50 0.00 4073.50
122 2018789 1 3 4620 0.05 1 0 4620 4620.00 0.00 4620.00
123 2823788 1 4 14582 0.16 4 0 4318 3645.50 0.00 3645.50
124 2019809 1 2 8513 0.09 2 0 4295 4256.50 0.00 4256.50
125 2008117 1 3 8
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ee08f0b91e659ef8c755959d14718fc056b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02112019.1242-192257d7-c053-4366-ba7a-4b3ce806975e.pcap -vvv -k none
elapsedtime:22.386185
stderr:
stdout:
11/2/2019 -- 12:42:18 - <Info> - Configuration node 'rule-files' redefined.
11/2/2019 -- 12:42:18 - <Notice> - This is Suricata version 4.0.0 RELEASE
11/2/2019 -- 12:42:18 - <Info> - CPUs/cores online: 1
11/2/2019 -- 12:42:18 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34259 and 'request-body-inspect-window' set to 16193 after randomization.
11/2/2019 -- 12:42:18 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 31239 and 'response-body-inspect-window' set to 17024 after randomization.
11/2/2019 -- 12:42:18 - <Config> - DNS request flood protection level: 500
11/2/2019 -- 12:42:18 - <Config> - DNS per flow memcap (state-memcap): 524288
11/2/2019 -- 12:42:18 - <Config> - DNS global memcap: 16777216
11/2/2019 -- 12:42:18 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
11/2/2019 -- 12:42:18 - <Config> - preallocated 1000 hosts of size 136
11/2/2019 -- 12:42:18 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
11/2/2019 -- 12:42:18 - <Config> - using magic-file /usr/share/file/magic
11/2/2019 -- 12:42:18 - <Config> - Core dump size is unlimited.
11/2/2019 -- 12:42:18 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
11/2/2019 -- 12:42:18 - <Config> - preallocated 1000 defrag trackers of size 168
11/2/2019 -- 12:42:18 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
11/2/2019 -- 12:42:18 - <Config> - stream "prealloc-sessions": 2048 (per thread)
11/2/2019 -- 12:42:18 - <Config> - stream "memcap": 33554432
11/2/2019 -- 12:42:18 - <Config> - stream "midstream" session pickups: disabled
11/2/2019 -- 12:42:18 - <Config> - stream "async-oneside": disabled
11/2/2019 -- 12:42:18 - <Config> - stream "checksum-validation": disabled
11/2/2019 -- 12:42:18 - <Config> - stream."inline": disabled
11/2/2019 -- 12:42:18 - <Config> - stream "bypass": disabled
11/2/2019 -- 12:42:18 - <Config> - stream "max-synack-queued": 5
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly "memcap": 134217728
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly "depth": 0
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly "toserver-chunk-size": 2483
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly "toclient-chunk-size": 2601
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly.raw: enabled
11/2/2019 -- 12:42:18 - <Config> - stream.reassembly "segment-prealloc": 2048
11/2/2019 -- 12:42:18 - <Config> - Delayed detect disabled
11/2/2019 -- 12:42:18 - <Config> - pattern matchers: MPM: ac, SPM: bm
11/2/2019 -- 12:42:18 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
11/2/2019 -- 12:42:18 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
11/2/2019 -- 12:42:18 - <Config> - prefilter engines: MPM
11/2/2019 -- 12:42:18 - <Config> - IP reputation disabled
11/2/2019 -- 12:42:18 - <Perf> - Registered 148 keyword profiling counters.
11/2/2019 -- 12:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
11/2/2019 -- 12:42:18 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
11/2/2019 -- 12:42:19 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
11/2/2019 -- 12:42:23 - <Config> - No rules loaded from ET-icmp.rules.
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
11/2/2019 -- 12:42:23 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
11/2/2019 -- 12:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
11/2/2019 -- 12:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
11/2/2019 -- 12:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
11/2/2019 -- 12:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
11/2/2019 -- 12:42:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
11/2/2019 -- 12:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
11/2/2019 -- 12:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
11/2/2019 -- 12:42:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
11/2/2019 -- 12:42:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
11/2/2019 -- 12:42:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
11/2/2019 -- 12:42:31 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
11/2/2019 -- 12:42:31 - <Config> - No rules loaded from local.rules.
11/2/2019 -- 12:42:31 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
11/2/2019 -- 12:42:31 - <Info> - Threshold config parsed: 0 rule(s) found
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tcp-packet
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tcp-stream
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for udp-packet
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for other-ip
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_uri
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_request_line
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_client_body
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_response_line
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_header
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_header
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_header_names
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_header_names
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_accept
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_accept_enc
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_accept_lang
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_referer
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_connection
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_content_len
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_content_len
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_content_type
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_content_type
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_protocol
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_protocol
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_start
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_start
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_raw_header
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_raw_header
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_method
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_cookie
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_cookie
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_raw_uri
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_user_agent
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_host
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_raw_host
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_stat_msg
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_stat_code
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for dns_query
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tls_sni
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tls_cert_issuer
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tls_cert_subject
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for tls_cert_serial
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for dce_stub_data
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for dce_stub_data
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for ssh_protocol
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for ssh_protocol
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for ssh_software
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for ssh_software
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for file_data
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for file_data
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_request_line
11/2/2019 -- 12:42:31 - <Perf> - using shared mpm ctx' for http_response_line
11/2/2019 -- 12:42:32 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
11/2/2019 -- 12:42:32 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
11/2/2019 -- 12:42:32 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
11/2/2019 -- 12:42:32 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
11/2/2019 -- 12:42:32 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
11/2/2019 -- 12:42:32 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
11/2/2019 -- 12:42:32 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
11/2/2019 -- 12:42:32 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
11/2/2019 -- 12:42:36 - <Perf> - Unique rule groups: 104
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toserver TCP packet": 35
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toclient TCP packet": 17
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toserver TCP stream": 33
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toclient TCP stream": 19
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toserver UDP packet": 27
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "toclient UDP packet": 17
11/2/2019 -- 12:42:36 - <Perf> - Builtin MPM "other IP packet": 3
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_uri": 14
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_request_line": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_client_body": 6
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_response_line": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_header": 10
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_header": 6
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_header_names": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_accept": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_referer": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_content_len": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_content_type": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_content_type": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_protocol": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_start": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_method": 5
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_cookie": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_cookie": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver http_host": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver dns_query": 4
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver tls_sni": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toserver file_data": 1
11/2/2019 -- 12:42:36 - <Perf> - AppLayer MPM "toclient file_data": 7
11/2/2019 -- 12:42:39 - <Perf> - Registered 39590 rule profiling counters.
11/2/2019 -- 12:42:39 - <Info> - fast output device (regular) initialized: alert
11/2/2019 -- 12:42:39 - <Info> - eve-log output device (regular) initialized: eve.json
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'alert'
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'http'
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'dns'
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'tls'
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'files'
11/2/2019 -- 12:42:39 - <Config> - enabling 'eve-log' module 'ssh'
11/2/2019 -- 12:42:39 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
11/2/2019 -- 12:42:39 - <Info> - stats output device (regular) initialized: stats.log
11/2/2019 -- 12:42:39 - <Config> - AutoFP mode using "Hash" flow load balancer
11/2/2019 -- 12:42:39 - <Info> - reading pcap file /var/pcap/02112019.1242-192257d7-c053-4366-ba7a-4b3ce806975e.pcap
11/2/2019 -- 12:42:39 - <Config> - us
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | Packet profile dump:
IP ver Proto cnt min max avg tot %%
------ ----- ---------- ------------ ------------ ----------- ----------- ---
IPv4 6 43 155147 54177296 40299655 1.7b 27.25
IPv4 17 51 6356589 46384286 21293757 1.1b 17.08
IPv6 17 58 32954306 58713665 41200766 2.4b 37.58
IPv6 58 27 32709195 58584763 42623478 1.2b 18.10
Note: Protocol 256 tracks pseudo/tunnel packets.
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
TMM_FLOWWORKER IPv4 6 43 67071 2385454 306619 13.2m 22.53
TMM_FLOWWORKER IPv4 17 51 129852 13469283 502841 25.6m 43.82
TMM_RECEIVEPCAPFILE IPv4 6 39 2540 3412 2849 111.1k 0.19
TMM_RECEIVEPCAPFILE IPv4 17 51 2562 27619 3494 178.2k 0.30
TMM_DECODEPCAPFILE IPv4 6 39 2658 5441 2967 115.7k 0.20
TMM_DECODEPCAPFILE IPv4 17 51 2689 19474 3244 165.5k 0.28
TMM_FLOWWORKER IPv6 17 58 108205 7606180 285439 16.6m 28.29
TMM_FLOWWORKER IPv6 58 27 66017 100525 75404 2.0m 3.48
TMM_RECEIVEPCAPFILE IPv6 17 58 2549 3597 2838 164.6k 0.28
TMM_RECEIVEPCAPFILE IPv6 58 27 2543 4260 2839 76.7k 0.13
TMM_DECODEPCAPFILE IPv6 17 58 2687 9773 3005 174.3k 0.30
TMM_DECODEPCAPFILE IPv6 58 27 2741 30599 4155 112.2k 0.19
Flow Worker IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
flow IPv4 6 39 2855 16536 3646 142.2k 0.42
flow IPv4 17 51 2680 10307 3540 180.6k 0.53
stream IPv4 6 43 2715 419136 30199 1.3m 3.82
app-layer IPv4 17 51 2524 28273 6178 315.1k 0.93
detect IPv4 6 43 44933 2179708 244912 10.5m 31.02
detect IPv4 17 51 113608 594981 215559 11.0m 32.38
tcp-prune IPv4 6 43 2520 19257 3386 145.6k 0.43
flow IPv6 17 58 2761 5964 3522 204.3k 0.60
flow IPv6 58 27 2820 6029 3164 85.4k 0.25
app-layer IPv6 17 58 2528 11079 5216 302.5k 0.89
detect IPv6 17 58 92137 251405 138523 8.0m 23.66
detect IPv6 58 27 54662 88037 63687 1.7m 5.06
Note: stream includes app-layer for TCP
Per App layer parser stats:
App Layer IP ver Proto cnt min max avg
-------------------- ------ ----- ---------- ------------ ------------ -----------
http IPv4 6 3 3233 41286 17699 53.1k 22.09
tls IPv4 6 2 2692 5154 3923 7.8k 3.26
dns IPv4 17 9 4511 21908 8157 73.4k 30.54
http IPv6 17 1 41286 41286 41286 41.3k 17.18
dns IPv6 17 11 5885 5885 5885 64.7k 26.93
Proto detect IPv4 17 11 2987 11037 5418 59.6k
Proto detect IPv6 17 23 2725 4796 3257 74.9k
Log Thread Module IP ver Proto cnt min max avg tot %%
------------------------ ------ ----- ---------- ------------ ------------ ----------- ----------- ---
Logger/output stats:
Logger IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
LOGGER_JSON_DNS IPv4 17 8 40682 12934700 1687752 13.5m 97.14
LOGGER_JSON_HTTP IPv4 6 2 67220 71012 69116 138.2k 0.99
LOGGER_JSON_TLS IPv4 6 1 47727 47727 47727 47.7k 0.34
LOGGER_JSON_FILE IPv4 6 1 212153 212153 212153 212.2k 1.53
Prefilter IP ver Proto cnt min max avg tot %%
-------------------- ------ ----- ---------- ------------ ------------ ----------- --------- ---
payload IPv4 6 17 2633 186970 42695 725.8k 20.55
payload IPv4 17 51 3675 104103 14808 755.2k 21.38
stream IPv4 6 17 2562 264486 49140 835.4k 23.65
http_uri IPv4 6 2 5277 45408 25342 50.7k 1.43
http_request_line IPv4 6 2 7017 8716 7866 15.7k 0.45
http_client_body IPv4 6 2 3390 8388 5889 11.8k 0.33
http_header (request) IPv4 6 2 66044 83399 74721 149.4k 4.23
http_header (request trailer) IPv4 6 2 2634 2639 2636 5.3k 0.15
http_header_names (request) IPv4 6 2 15518 22394 18956 37.9k 1.07
http_accept (request) IPv4 6 2 4109 4771 4440 8.9k 0.25
http_referer (request) IPv4 6 2 3130 3494 3312 6.6k 0.19
http_content_len (request) IPv4 6 2 3437 3467 3452 6.9k 0.20
http_content_type (request) IPv4 6 2 3286 3507 3396 6.8k 0.19
http_protocol (request) IPv4 6 2 5074 5093 5083 10.2k 0.29
http_start (request) IPv4 6 2 13407 13545 13476 27.0k 0.76
http_raw_header (request) IPv4 6 2 12516 21584 17050 34.1k 0.97
http_method IPv4 6 2 6704 7741 7222 14.4k 0.41
http_cookie (request) IPv4 6 2 3459 3493 3476 7.0k 0.20
http_raw_uri IPv4 6 2 2979 6686 4832 9.7k 0.27
http_user_agent IPv4 6 2 13379 24344 18861 37.7k 1.07
http_host IPv4 6 2 13112 20014 16563 33.1k 0.94
dns_query IPv4 17 4 9255 14517 11674 46.7k 1.32
tls_sni IPv4 6 1 8695 8695 8695 8.7k 0.25
http_response_line IPv4 6 2 8291 8502 8396 16.8k 0.48
http_header (response) IPv4 6 2 53895 59034 56464 112.9k 3.20
http_header (response trailer) IPv4 6 2 2671 2827 2749 5.5k 0.16
http_content_type (response) IPv4 6 2 9867 9999 9933 19.9k 0.56
http_raw_header (response) IPv4 6 2 9824 12880 11352 22.7k 0.64
http_cookie (response) IPv4 6 2 3520 3905 3712 7.4k 0.21
http_stat_code IPv4 6 2 4311 4541 4426 8.9k 0.25
tls_cert_issuer IPv4 6 1 6521 6521 6521 6.5k 0.18
tls_cert_subject IPv4 6 1 6866 6866 6866 6.9k 0.19
tls_cert_serial IPv4 6 1 5901 5901 5901 5.9k 0.17
Total IPv4 143 21387 3.1m
payload IPv6 17 58 3264 28623 6439 373.5k 10.57
payload IPv6 58 27 2834 6802 3735 100.9k 2.86
Total IPv6 85 5580 474.3k
General detection engine stats:
Detection phase IP ver Proto cnt min max avg tot
------------------------ ------ ----- ---------- ------------ ------------ ----------- -----------
PROF_DETECT_IPONLY IPv4 6 8 10585 79990 39169 313.4k 0.92
PROF_DETECT_IPONLY IPv4 17 11 37431 82167 50291 553.2k 1.63
PROF_DETECT_RULES IPv4 6 43 2530 1762215 114491 4.9m 14.50
PROF_DETECT_RULES IPv4 17 51 54059 370357 123182 6.3m 18.50
PROF_DETECT_STATEFUL_START IPv4 6 6 5214 952881 225761 1.4m 3.99
PROF_DETECT_STATEFUL_CONT IPv4 6 43 2529 21739 6111 262.8k 0.77
PROF_DETECT_STATEFUL_CONT IPv4 17 51 2575 56587 4623 235.8k 0.69
PROF_DETECT_STATEFUL_UPDATE IPv4 6 27 2555 3094 2738 73.9k 0.22
PROF_DETECT_STATEFUL_UPDATE IPv4 17 8 2690 3745 3032 24.3k 0.07
PROF_DETECT_PREFILTER IPv4 6 43 7876 479569 76713 3.3m 9.71
PROF_DETECT_PREFILTER IPv4 17 51 24558 128527 40173 2.0m 6.03
PROF_DETECT_PF_PAYLOAD IPv4 6 17 42564 293932 99765 1.7m 4.99
PROF_DETECT_PF_PAYLOAD IPv4 17 51 8882 109220 20099 1.0m 3.02
PROF_DETECT_PF_TX IPv4 6 27 2712 324140 34630 935.0k 2.75
PROF_DETECT_PF_TX IPv4 17 4 15037 20298 17686 70.7k 0.21
PROF_DETECT_PF_SORT1 IPv4 6 17 2577 17255 4399 74.8k 0.22
PROF_DETECT_PF_SORT1 IPv4 17 51 2751 5247 3513 179.2k 0.53
PROF_DETECT_PF_SORT2 IPv4 6 43 2516 4838 3033 130.4k 0.38
PROF_DETECT_PF_SORT2 IPv4 17 51 2556 4295 2921 149.0k 0.44
PROF_DETECT_NONMPMLIST IPv4 6 43 2611 3798 3022 130.0k 0.38
PROF_DETECT_NONMPMLIST IPv4 17 51 2533 4026 2864 146.1k 0.43
PROF_DETECT_ALERT IPv4 6 43 2525 3757 2676 115.1k 0.34
PROF_DETECT_ALERT IPv4 17 51 2527 5382 2693 137.4k 0.40
PROF_DETECT_CLEANUP IPv4 6 43 2566 16188 3514 151.1k 0.45
PROF_DETECT_CLEANUP IPv4 17 51 2523 13728 3138 160.1k 0.47
PROF_DETECT_GETSGH IPv4 6 43 2542 9979 3532 151.9k 0.45
PROF_DETECT_GETSGH IPv4 17 51 2564 22853 3819 194.8k 0.57
PROF_DETECT_IPONLY IPv6 17 23 2943 4243 3255 74.9k 0.22
PROF_DETECT_IPONLY IPv6 58 2 7948 9968 8958 17.9k 0.05
PROF_DETECT_RULES IPv6 17 58 33535 166350 65515 3.8m 11.19
PROF_DETECT_RULES IPv6 58 27 2538 9309 3663 98.9k 0.29
PROF_DETECT_STATEFUL_CONT IPv6 17 58 2516 3556 2818 163.5k 0.48
PROF_DETECT_STATEFUL_CONT IPv6 58 27 2527 3481 2861 77.3k 0.23
PROF_DETECT_PREFILTER IPv6 17 58 23972 105516 30581 1.8m 5.22
PROF_DETECT_PREFILTER IPv6 58 27 18356 33898 21827 589.4k 1.74
PROF_DETECT_PF_PAYLOAD IPv6 17 58 8458 83706 13189 765.0k 2.25
PROF_DETECT_PF_PAYLOAD IPv6 58 27 8016 22747 9905 267.4k 0.79
PROF_DETECT_PF_SORT1 IPv6 17 58 2593 5256 3124 181.2k 0.53
PROF_DETECT_PF_SORT2 IPv6 17 58 2540 3945 2741 159.0k 0.47
PROF_DETECT_PF_SORT2 IPv6 58 27 2516 2908 2648 71.5k 0.21
PROF_DETECT_NONMPMLIST IPv6 17 58 2520 15768 3040 176.3
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | ------------------------------------------------------------------------------------
Date: 2/11/2019 -- 12:42:41 (uptime: 0d, 00h 00m 02s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 480
decoder.bytes | Total | 37856
decoder.ipv4 | Total | 90
decoder.ipv6 | Total | 85
decoder.ethernet | Total | 480
decoder.tcp | Total | 39
decoder.udp | Total | 109
decoder.icmpv6 | Total | 27
decoder.avg_pkt_size | Total | 78
decoder.max_pkt_size | Total | 1514
flow.tcp | Total | 4
flow.udp | Total | 30
flow.icmpv6 | Total | 2
tcp.sessions | Total | 3
tcp.syn | Total | 3
tcp.synack | Total | 3
tcp.rst | Total | 1
detect.mpm_list | Total | 8
detect.nonmpm_list | Total | 2
detect.match_list | Total | 9
app_layer.flow.http | Total | 2
app_layer.tx.http | Total | 2
app_layer.flow.tls | Total | 1
app_layer.flow.dns_udp | Total | 4
app_layer.tx.dns_udp | Total | 4
app_layer.flow.failed_udp | Total | 26
flow_mgr.closed_pruned | Total | 1
flow_mgr.new_pruned | Total | 28
flow.spare | Total | 10000
flow_mgr.flows_checked | Total | 18
flow_mgr.flows_notimeout | Total | 4
flow_mgr.flows_timeout | Total | 14
flow_mgr.flows_removed | Total | 14
flow_mgr.rows_checked | Total | 65536
flow_mgr.rows_skipped | Total | 65515
flow_mgr.rows_empty | Total | 3
flow_mgr.rows_maxlen | Total | 1
tcp.memuse | Total | 573440
tcp.reassembly_memuse | Total | 81920
flow.memuse | Total | 7080352
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | {"timestamp":"2019-01-18T08:20:18.337232+0000","flow_id":1471294939997520,"pcap_cnt":93,"event_type":"dns","src_ip":"192.168.100.203","src_port":53891,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4988,"rrname":"ctldl.windowsupdate.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-18T08:20:18.343062+0000","flow_id":1471294939997520,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":53891,"proto":"UDP","dns":{"type":"answer","id":4988,"rcode":"NOERROR","rrname":"ctldl.windowsupdate.com","rrtype":"CNAME","ttl":1462,"rdata":"audownload.windowsupdate.nsatc.net"}}
{"timestamp":"2019-01-18T08:20:18.343062+0000","flow_id":1471294939997520,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":53891,"proto":"UDP","dns":{"type":"answer","id":4988,"rcode":"NOERROR","rrname":"audownload.windowsupdate.nsatc.net","rrtype":"CNAME","ttl":574,"rdata":"au.au-msedge.net"}}
{"timestamp":"2019-01-18T08:20:18.343062+0000","flow_id":1471294939997520,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":53891,"proto":"UDP","dns":{"type":"answer","id":4988,"rcode":"NOERROR","rrname":"au.au-msedge.net","rrtype":"CNAME","ttl":13,"rdata":"au.c-0001.c-msedge.net"}}
{"timestamp":"2019-01-18T08:20:18.343062+0000","flow_id":1471294939997520,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":53891,"proto":"UDP","dns":{"type":"answer","id":4988,"rcode":"NOERROR","rrname":"au.c-0001.c-msedge.net","rrtype":"CNAME","ttl":13,"rdata":"c-0001.c-msedge.net"}}
{"timestamp":"2019-01-18T08:20:18.343062+0000","flow_id":1471294939997520,"pcap_cnt":94,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":53891,"proto":"UDP","dns":{"type":"answer","id":4988,"rcode":"NOERROR","rrname":"c-0001.c-msedge.net","rrtype":"A","ttl":13,"rdata":"13.107.4.50"}}
{"timestamp":"2019-01-18T08:20:18.465826+0000","flow_id":1241308031274764,"pcap_cnt":101,"event_type":"http","src_ip":"192.168.100.203","src_port":50934,"dest_ip":"13.107.4.50","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"ctldl.windowsupdate.com","url":"\/msdownload\/update\/v3\/static\/trustedr\/en\/pinrulesstl.cab?2e3fc8e312d3921e","http_user_agent":"Microsoft-CryptoAPI\/10.0","http_content_type":"application\/vnd.ms-cab-compressed"}}
{"timestamp":"2019-01-18T08:21:51.914810+0000","flow_id":1579042790700410,"pcap_cnt":289,"event_type":"dns","src_ip":"192.168.100.203","src_port":55994,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46482,"rrname":"nexus.officeapps.live.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-18T08:21:51.939253+0000","flow_id":1579042790700410,"pcap_cnt":290,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":55994,"proto":"UDP","dns":{"type":"answer","id":46482,"rcode":"NOERROR","rrname":"nexus.officeapps.live.com","rrtype":"CNAME","ttl":156,"rdata":"prod-w.nexus.live.com.akadns.net"}}
{"timestamp":"2019-01-18T08:21:51.939253+0000","flow_id":1579042790700410,"pcap_cnt":290,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":55994,"proto":"UDP","dns":{"type":"answer","id":46482,"rcode":"NOERROR","rrname":"prod-w.nexus.live.com.akadns.net","rrtype":"A","ttl":299,"rdata":"52.109.120.23"}}
{"timestamp":"2019-01-18T08:21:52.031093+0000","flow_id":2085187506698613,"pcap_cnt":291,"event_type":"dns","src_ip":"192.168.100.203","src_port":54342,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3043,"rrname":"nexusrules.officeapps.live.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-18T08:21:52.064108+0000","flow_id":2085187506698613,"pcap_cnt":292,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":54342,"proto":"UDP","dns":{"type":"answer","id":3043,"rcode":"NOERROR","rrname":"nexusrules.officeapps.live.com","rrtype":"CNAME","ttl":2479,"rdata":"prod.nexusrules.live.com.akadns.net"}}
{"timestamp":"2019-01-18T08:21:52.064108+0000","flow_id":2085187506698613,"pcap_cnt":292,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":54342,"proto":"UDP","dns":{"type":"answer","id":3043,"rcode":"NOERROR","rrname":"prod.nexusrules.live.com.akadns.net","rrtype":"A","ttl":299,"rdata":"52.109.124.18"}}
{"timestamp":"2019-01-18T08:23:54.319180+0000","flow_id":1532352209280716,"pcap_cnt":437,"event_type":"dns","src_ip":"192.168.100.203","src_port":61154,"dest_ip":"192.168.100.2","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24856,"rrname":"www.kakaocorp.link","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-18T08:23:54.568887+0000","flow_id":1532352209280716,"pcap_cnt":438,"event_type":"dns","src_ip":"192.168.100.2","src_port":53,"dest_ip":"192.168.100.203","dest_port":61154,"proto":"UDP","dns":{"type":"answer","id":24856,"rcode":"NOERROR","rrname":"www.kakaocorp.link","rrtype":"A","ttl":99,"rdata":"138.201.162.99"}}
{"timestamp":"2019-01-18T08:23:54.627145+0000","flow_id":1198676200010751,"pcap_cnt":445,"event_type":"http","src_ip":"192.168.100.203","src_port":53896,"dest_ip":"138.201.162.99","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.kakaocorp.link","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2019-01-18T08:23:55.531070+0000","flow_id":900781563426530,"pcap_cnt":454,"event_type":"tls","src_ip":"192.168.100.203","src_port":53908,"dest_ip":"138.201.162.99","dest_port":443,"proto":"TCP","tls":{"subject":"CN=138.201.162.99","issuerdn":"C=AU, ST=Some-State, L=City, O=Some Company"}}
{"timestamp":"2019-01-18T08:24:22.741148+0000","flow_id":1198676200010751,"event_type":"fileinfo","src_ip":"138.201.162.99","src_port":80,"dest_ip":"192.168.100.203","dest_port":53896,"proto":"TCP","http":{"hostname":"www.kakaocorp.link","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":301,"redirect":"https:\/\/kakaocorp.link\/","length":162},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":162,"tx_id":0}}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | --------------------------------------------------------------------------------------------------------------------------------
Date: 2/11/2019 -- 12:42:41
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 321035 90 90 9442 3567.00 3567.00 0.00
content 1015946 272 168 18441 3735.00 3897.00 3473.00
pcre 266990 33 13 36094 8090.00 5906.00 9510.00
byte_test 307747 101 72 17362 3047.00 2941.00 3308.00
byte_jump 45083 16 16 4159 2817.00 2817.00 0.00
isdataat 11443 4 0 2881 2860.00 0.00 2860.00
flowbits 79136 25 4 5621 3165.00 4713.00 2870.00
urilen 59712 18 1 4058 3317.00 3720.00 3293.00
byte_extract 6576 2 2 3981 3288.00 3288.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flow 321035 90 90 9442 3567.00 3567.00 0.00
flowbits 65252 22 1 4970 2966.00 4970.00 2870.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 563002 163 92 13517 3454.00 3546.00 3334.00
pcre 100890 15 5 28544 6726.00 4692.00 7743.00
byte_test 307747 101 72 17362 3047.00 2941.00 3308.00
byte_jump 45083 16 16 4159 2817.00 2817.00 0.00
isdataat 11443 4 0 2881 2860.00 0.00 2860.00
byte_extract 6576 2 2 3981 3288.00 3288.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: post-match
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flowbits 13884 3 3 5621 4628.00 4628.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 34701 9 3 5188 3855.00 4562.00 3502.00
pcre 17791 3 0 9474 5930.00 0.00 5930.00
urilen 59712 18 1 4058 3317.00 3720.00 3293.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 357999 84 67 18441 4261.00 4354.00 3896.00
pcre 138267 13 6 36094 10635.00 7213.00 13569.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_header_names
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 20045 5 1 5165 4009.00 3616.00 4107.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_content_type
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 7797 2 2 4270 3898.00 3898.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_method
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 3299 1 0 3299 3299.00 0.00 3299.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_user_agent
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 22194 6 3 4389 3699.00 3868.00 3530.00
pcre 10042 2 2 5132 5021.00 5021.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_stat_code
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 6909 2 0 3623 3454.00 0.00 3454.00
|
1 2 3 4 5 6 7 8 | 2019-02-11 12:42:18,214 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-02-11 12:42:18,911 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-02-11 12:42:18,911 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-02-11 12:42:18,911 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-02-11 12:42:18,911 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-02-11 12:42:18,912 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ee08f0b91e659ef8c755959d14718fc056b33745cb75ec8c950e11a498e082d2 -r /var/pcap/02112019.1242-192257d7-c053-4366-ba7a-4b3ce806975e.pcap -vvv -k none
2019-02-11 12:42:41,300 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-02-11 12:42:41,301 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.0946941376
|