Filename: network (2).pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 24.448568821 seconds
Hash: fe4a2d55894ae34e5348ffd1bc2e53a9
Uploaded: 1568628794

Logfiles


unified2.alert.1568628818 - (30467 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
4]e1[·5Ù	À¨ðÑ͆û¥Á¶PJ]e1[]e1[·5.E ?2À¨ðÑ͆û¥Á¶PP¨MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

4]e1[·5ç¥À¨ðÑ͆û¥Á¶PJ]e1[]e1[·5.E ?2À¨ðÑ͆û¥Á¶PP¨MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

4]e1]ìéãxÀ¨ðÑ͆û¥Á¶PJ]e1]]e1]ìé.E ?2À¨ðÑ͆û¥Á¶PP¨MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

]e1]]e1]ìéöEè?jÀ¨ðÑ͆û¥Á¶PPë#'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU Xk06897110B52C166E7F20FBF0BFtzUd4]e1]ìéã}À¨ðÑ͆û¥Á¶PJ]e1]]e1]ìé.E ?2À¨ðÑ͆û¥Á¶PP¨MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

]e1]]e1]ìéöEè?jÀ¨ðÑ͆û¥Á¶PPë#'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU Xk06897110B52C166E7F20FBF0BFtzUd4]e1]ìé+&À¨ðÑ͆û¥Á¶PJ]e1]]e1]ìé.E ?2À¨ðÑ͆û¥Á¶PP¨MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

]e1]]e1]ìéöEè?jÀ¨ðÑ͆û¥Á¶PPë#'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU Xk06897110B52C166E7F20FBF0BFtzUd4]e1\1ÍÙ	À¨ðÑ͆û¥Á·PJ]e1\]e1\1Í.E ?2À¨ðÑ͆û¥Á·PP¨LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

4]e1\1Íç¥À¨ðÑ͆û¥Á·PJ]e1\]e1\1Í.E ?2À¨ðÑ͆û¥Á·PP¨LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

4]e1]
hÿãxÀ¨ðÑ͆û¥Á·PJ]e1]]e1]
hÿ.E ?2À¨ðÑ͆û¥Á·PP¨LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

]e1]]e1]
hÿöEè?jÀ¨ðÑ͆û¥Á·PP¿'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU XÆ+06897110B52C166E7F20FBF0BPT2vc4	]e1]
hÿã}À¨ðÑ͆û¥Á·PJ	]e1]]e1]
hÿ.E ?2À¨ðÑ͆û¥Á·PP¨LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close

	]e1]]e1]
hÿöEè?jÀ¨ðÑ͆û¥Á·PP¿'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU XÆ+06897110B52C166E7F20FBF0BPT2vc4
]e1]
hÿ+&À¨ðÑ͆û¥Á·PJ
]e1]]e1]
hÿ.E ?2À¨ðÑ͆û¥Á·PP¨LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 192
Connection: close


]e1]]e1]
hÿöEè?jÀ¨ðÑ͆û¥Á·PP¿'ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU XÆ+06897110B52C166E7F20FBF0BPT2vc4]e1\9gÙ	À¨ðÑ͆û¥Á¸PJ]e1\]e1\9g.E ?2À¨ðÑ͆û¥Á¸PP¥NPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1\9gç¥À¨ðÑ͆û¥Á¸PJ]e1\]e1\9g.E ?2À¨ðÑ͆û¥Á¸PP¥NPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4
]e1\3§ãyÀ¨ðÑ͆û¥Á¸PJ
]e1\]e1\3§.E ?2À¨ðÑ͆û¥Á¸PP¥NPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷
]e1\]e1\3§ÛEÍ?…À¨ðÑ͆û¥Á¸PP´Ò(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1\3§ã~À¨ðÑ͆û¥Á¸PJ]e1\]e1\3§.E ?2À¨ðÑ͆û¥Á¸PP¥NPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1\]e1\3§ÛEÍ?…À¨ðÑ͆û¥Á¸PP´Ò(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1\3§+&À¨ðÑ͆û¥Á¸PJ]e1\]e1\3§.E ?2À¨ðÑ͆û¥Á¸PP¥NPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1\]e1\3§ÛEÍ?…À¨ðÑ͆û¥Á¸PP´Ò(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1n,¤Ù	À¨ðÑ͆û¥Á¹PJ]e1n]e1n,¤.E ?2À¨ðÑ͆û¥Á¹PP¥MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1n,¤ç¥À¨ðÑ͆û¥Á¹PJ]e1n]e1n,¤.E ?2À¨ðÑ͆û¥Á¹PP¥MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1n½ãyÀ¨ðÑ͆û¥Á¹PJ]e1n]e1n½.E ?2À¨ðÑ͆û¥Á¹PP¥MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1n]e1n½ÛEÍ?…À¨ðÑ͆û¥Á¹PP´Ñ(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1n½ã~À¨ðÑ͆û¥Á¹PJ]e1n]e1n½.E ?2À¨ðÑ͆û¥Á¹PP¥MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1n]e1n½ÛEÍ?…À¨ðÑ͆û¥Á¹PP´Ñ(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1n½+&À¨ðÑ͆û¥Á¹PJ]e1n]e1n½.E ?2À¨ðÑ͆û¥Á¹PP¥MPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1n]e1n½ÛEÍ?…À¨ðÑ͆û¥Á¹PP´Ñ(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1LÙ	À¨ðÑ͆û¥ÁºPJ]e1]e1L.E ?2À¨ðÑ͆û¥ÁºPP¥LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1Lç¥À¨ðÑ͆û¥ÁºPJ]e1]e1L.E ?2À¨ðÑ͆û¥ÁºPP¥LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1ƒjØãyÀ¨ðÑ͆û¥ÁºPJ]e1ƒ]e1ƒjØ.E ?2À¨ðÑ͆û¥ÁºPP¥LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1ƒ]e1ƒjØÛEÍ?…À¨ðÑ͆û¥ÁºPP´Ð(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1ƒjØã~À¨ðÑ͆û¥ÁºPJ]e1ƒ]e1ƒjØ.E ?2À¨ðÑ͆û¥ÁºPP¥LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1ƒ]e1ƒjØÛEÍ?…À¨ðÑ͆û¥ÁºPP´Ð(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1ƒjØ+&À¨ðÑ͆û¥ÁºPJ]e1ƒ]e1ƒjØ.E ?2À¨ðÑ͆û¥ÁºPP¥LPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1ƒ]e1ƒjØÛEÍ?…À¨ðÑ͆û¥ÁºPP´Ð(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1”­2Ù	À¨ðÑ͆û¥Á»PJ]e1”]e1”­2.E ?2À¨ðÑ͆û¥Á»PP¥KPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1”­2ç¥À¨ðÑ͆û¥Á»PJ]e1”]e1”­2.E ?2À¨ðÑ͆û¥Á»PP¥KPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

4]e1•ãyÀ¨ðÑ͆û¥Á»PJ]e1•]e1•.E ?2À¨ðÑ͆û¥Á»PP¥KPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1•]e1•ÛEÍ?…À¨ðÑ͆û¥Á»PP´Ï(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1•ã~À¨ðÑ͆û¥Á»PJ]e1•]e1•.E ?2À¨ðÑ͆û¥Á»PP¥KPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 2A99D6E2
Content-Length: 165
Connection: close

÷]e1•]e1•ÛEÍ?…À¨ðÑ͆û¥Á»PP´Ï(ckav.ruppzZjyL3GWyLLIIVU3GWyLLIIVU X06897110B52C166E7F20FBF0B4]e1•+&À¨ðÑ͆û¥Á»PJ]e1•]e1•.E ?2À¨ðÑ͆û¥Á»PP¥KPOST /mercy/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: devworkserver.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key:

This file has been truncated. Go here to download in full.


suricata-4.0.0-etpro-all-alert-2019-09-16-T-10-13-39-09162019.1013-network_2.pcap.txt - (11420 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
08/27/2019-13:34:19.833333  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49590 -> 205.134.251.165:80
08/27/2019-13:34:19.833333  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49590 -> 205.134.251.165:80
08/27/2019-13:34:21.388329  [**] [1:2024312:3] ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49590 -> 205.134.251.165:80
08/27/2019-13:34:21.388329  [**] [1:2024317:3] ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49590 -> 205.134.251.165:80
08/27/2019-13:34:21.388329  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49590 -> 205.134.251.165:80
08/27/2019-13:34:20.078285  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49591 -> 205.134.251.165:80
08/27/2019-13:34:20.078285  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49591 -> 205.134.251.165:80
08/27/2019-13:34:21.682239  [**] [1:2024312:3] ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49591 -> 205.134.251.165:80
08/27/2019-13:34:21.682239  [**] [1:2024317:3] ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49591 -> 205.134.251.165:80
08/27/2019-13:34:21.682239  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49591 -> 205.134.251.165:80
08/27/2019-13:34:20.342375  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49592 -> 205.134.251.165:80
08/27/2019-13:34:20.342375  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49592 -> 205.134.251.165:80
08/27/2019-13:34:20.471975  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49592 -> 205.134.251.165:80
08/27/2019-13:34:20.471975  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49592 -> 205.134.251.165:80
08/27/2019-13:34:20.471975  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49592 -> 205.134.251.165:80
08/27/2019-13:34:38.076964  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49593 -> 205.134.251.165:80
08/27/2019-13:34:38.076964  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49593 -> 205.134.251.165:80
08/27/2019-13:34:38.229309  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49593 -> 205.134.251.165:80
08/27/2019-13:34:38.229309  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49593 -> 205.134.251.165:80
08/27/2019-13:34:38.229309  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49593 -> 205.134.251.165:80
08/27/2019-13:34:57.335436  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49594 -> 205.134.251.165:80
08/27/2019-13:34:57.335436  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49594 -> 205.134.251.165:80
08/27/2019-13:34:59.420568  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49594 -> 205.134.251.165:80
08/27/2019-13:34:59.420568  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49594 -> 205.134.251.165:80
08/27/2019-13:34:59.420568  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49594 -> 205.134.251.165:80
08/27/2019-13:35:16.961842  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49595 -> 205.134.251.165:80
08/27/2019-13:35:16.961842  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49595 -> 205.134.251.165:80
08/27/2019-13:35:17.202268  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49595 -> 205.134.251.165:80
08/27/2019-13:35:17.202268  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49595 -> 205.134.251.165:80
08/27/2019-13:35:17.202268  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49595 -> 205.134.251.165:80
08/27/2019-13:35:36.323800  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49596 -> 205.134.251.165:80
08/27/2019-13:35:36.323800  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49596 -> 205.134.251.165:80
08/27/2019-13:35:36.475970  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49596 -> 205.134.251.165:80
08/27/2019-13:35:36.475970  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49596 -> 205.134.251.165:80
08/27/2019-13:35:36.475970  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49596 -> 205.134.251.165:80
08/27/2019-13:35:55.978069  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49597 -> 205.134.251.165:80
08/27/2019-13:35:55.978069  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49597 -> 205.134.251.165:80
08/27/2019-13:35:56.166771  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49597 -> 205.134.251.165:80
08/27/2019-13:35:56.166771  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49597 -> 205.134.251.165:80
08/27/2019-13:35:56.166771  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49597 -> 205.134.251.165:80
08/27/2019-13:36:15.468901  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49598 -> 205.134.251.165:80
08/27/2019-13:36:15.468901  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49598 -> 205.134.251.165:80
08/27/2019-13:36:15.607940  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49598 -> 205.134.251.165:80
08/27/2019-13:36:15.607940  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49598 -> 205.134.251.165:80
08/27/2019-13:36:15.607940  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49598 -> 205.134.251.165:80
08/27/2019-13:36:35.148608  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49599 -> 205.134.251.165:80
08/27/2019-13:36:35.148608  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49599 -> 205.134.251.165:80
08/27/2019-13:36:35.292737  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49599 -> 205.134.251.165:80
08/27/2019-13:36:35.292737  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49599 -> 205.134.251.165:80
08/27/2019-13:36:35.292737  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49599 -> 205.134.251.165:80
08/27/2019-13:36:54.959957  [**] [1:2021641:6] ET TROJAN LokiBot User-Agent (Charon/Inferno) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49600 -> 205.134.251.165:80
08/27/2019-13:36:54.959957  [**] [1:2025381:4] ET TROJAN LokiBot Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49600 -> 205.134.251.165:80
08/27/2019-13:36:55.112168  [**] [1:2024313:4] ET TROJAN LokiBot Request for C2 Commands Detected M1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49600 -> 205.134.251.165:80
08/27/2019-13:36:55.112168  [**] [1:2024318:3] ET TROJAN LokiBot Request for C2 Commands Detected M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49600 -> 205.134.251.165:80
08/27/2019-13:36:55.112168  [**] [1:2825766:3] ETPRO TROJAN LokiBot Checkin M2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.240.209:49600 -> 205.134.251.165:80


suricata-report-2019-09-16-T-10-13-39-09162019.1013-network_2.pcap.txt - (17655 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/fe4a2d55894ae34e5348ffd1bc2e53a956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09162019.1013-network_2.pcap -vvv -k none
elapsedtime:23.457070
stderr:
stdout:
16/9/2019 -- 10:13:15 - <Info> - Configuration node 'rule-files' redefined.
16/9/2019 -- 10:13:15 - <Notice> - This is Suricata version 4.0.0 RELEASE
16/9/2019 -- 10:13:15 - <Info> - CPUs/cores online: 1
16/9/2019 -- 10:13:15 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 34248 and 'request-body-inspect-window' set to 17149 after randomization.
16/9/2019 -- 10:13:15 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 32242 and 'response-body-inspect-window' set to 16176 after randomization.
16/9/2019 -- 10:13:15 - <Config> - DNS request flood protection level: 500
16/9/2019 -- 10:13:15 - <Config> - DNS per flow memcap (state-memcap): 524288
16/9/2019 -- 10:13:15 - <Config> - DNS global memcap: 16777216
16/9/2019 -- 10:13:15 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
16/9/2019 -- 10:13:15 - <Config> - preallocated 1000 hosts of size 136
16/9/2019 -- 10:13:15 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
16/9/2019 -- 10:13:15 - <Config> - using magic-file /usr/share/file/magic
16/9/2019 -- 10:13:15 - <Config> - Core dump size is unlimited.
16/9/2019 -- 10:13:15 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
16/9/2019 -- 10:13:15 - <Config> - preallocated 1000 defrag trackers of size 168
16/9/2019 -- 10:13:15 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
16/9/2019 -- 10:13:15 - <Config> - stream "prealloc-sessions": 2048 (per thread)
16/9/2019 -- 10:13:15 - <Config> - stream "memcap": 33554432
16/9/2019 -- 10:13:15 - <Config> - stream "midstream" session pickups: disabled
16/9/2019 -- 10:13:15 - <Config> - stream "async-oneside": disabled
16/9/2019 -- 10:13:15 - <Config> - stream "checksum-validation": disabled
16/9/2019 -- 10:13:15 - <Config> - stream."inline": disabled
16/9/2019 -- 10:13:15 - <Config> - stream "bypass": disabled
16/9/2019 -- 10:13:15 - <Config> - stream "max-synack-queued": 5
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly "memcap": 134217728
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly "depth": 0
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly "toserver-chunk-size": 2526
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly "toclient-chunk-size": 2564
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly.raw: enabled
16/9/2019 -- 10:13:15 - <Config> - stream.reassembly "segment-prealloc": 2048
16/9/2019 -- 10:13:15 - <Config> - Delayed detect disabled
16/9/2019 -- 10:13:15 - <Config> - pattern matchers: MPM: ac, SPM: bm
16/9/2019 -- 10:13:15 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
16/9/2019 -- 10:13:15 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
16/9/2019 -- 10:13:15 - <Config> - prefilter engines: MPM
16/9/2019 -- 10:13:15 - <Config> - IP reputation disabled
16/9/2019 -- 10:13:15 - <Perf> - Registered 148 keyword profiling counters.
16/9/2019 -- 10:13:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
16/9/2019 -- 10:13:15 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
16/9/2019 -- 10:13:16 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
16/9/2019 -- 10:13:20 - <Config> - No rules loaded from ET-icmp.rules.
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
16/9/2019 -- 10:13:20 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
16/9/2019 -- 10:13:21 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
16/9/2019 -- 10:13:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
16/9/2019 -- 10:13:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
16/9/2019 -- 10:13:24 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
16/9/2019 -- 10:13:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
16/9/2019 -- 10:13:26 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
16/9/2019 -- 10:13:27 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
16/9/2019 -- 10:13:29 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
16/9/2019 -- 10:13:29 - <Config> - No rules loaded from local.rules.
16/9/2019 -- 10:13:29 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
16/9/2019 -- 10:13:29 - <Info> - Threshold config parsed: 0 rule(s) found
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tcp-packet
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tcp-stream
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for udp-packet
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for other-ip
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_uri
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_request_line
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_client_body
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_response_line
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_header
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_header
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_header_names
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_header_names
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_accept
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_accept_enc
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_accept_lang
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_referer
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_connection
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_content_len
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_content_len
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_content_type
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_content_type
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_protocol
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_protocol
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_start
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_start
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_raw_header
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_raw_header
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_method
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_cookie
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_cookie
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_raw_uri
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_user_agent
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_host
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_raw_host
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_stat_msg
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_stat_code
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for dns_query
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tls_sni
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tls_cert_issuer
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tls_cert_subject
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for tls_cert_serial
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for dce_stub_data
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for dce_stub_data
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for ssh_protocol
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for ssh_protocol
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for ssh_software
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for ssh_software
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for file_data
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for file_data
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_request_line
16/9/2019 -- 10:13:30 - <Perf> - using shared mpm ctx' for http_response_line
16/9/2019 -- 10:13:30 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
16/9/2019 -- 10:13:30 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
16/9/2019 -- 10:13:30 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
16/9/2019 -- 10:13:30 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
16/9/2019 -- 10:13:30 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
16/9/2019 -- 10:13:30 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
16/9/2019 -- 10:13:30 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
16/9/2019 -- 10:13:30 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
16/9/2019 -- 10:13:36 - <Perf> - Unique rule groups: 104
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toserver TCP packet": 35
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toclient TCP packet": 17
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toserver TCP stream": 33
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toclient TCP stream": 19
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toserver UDP packet": 27
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "toclient UDP packet": 17
16/9/2019 -- 10:13:36 - <Perf> - Builtin MPM "other IP packet": 3
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_uri": 14
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_request_line": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_client_body": 6
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_response_line": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_header": 10
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_header": 6
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_header_names": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_accept": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_referer": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_content_len": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_content_type": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_content_type": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_protocol": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_start": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_method": 5
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_cookie": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_cookie": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver http_host": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver dns_query": 4
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver tls_sni": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toserver file_data": 1
16/9/2019 -- 10:13:36 - <Perf> - AppLayer MPM "toclient file_data": 7
16/9/2019 -- 10:13:38 - <Perf> - Registered 39590 rule profiling counters.
16/9/2019 -- 10:13:38 - <Info> - fast output device (regular) initialized: alert
16/9/2019 -- 10:13:38 - <Info> - eve-log output device (regular) initialized: eve.json
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'alert'
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'http'
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'dns'
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'tls'
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'files'
16/9/2019 -- 10:13:38 - <Config> - enabling 'eve-log' module 'ssh'
16/9/2019 -- 10:13:38 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
16/9/2019 -- 10:13:38 - <Info> - stats output device (regular) initialized: stats.log
16/9/2019 -- 10:13:38 - <Config> - AutoFP mode using "Hash" flow load balancer
16/9/2019 -- 10:13:38 - <Info> - reading pcap file /var/pcap/09162019.1013-network_2.pcap
16/9/2019 -- 10:13:38 - <Config> - using 1 flow manager threads
16/9/2019 -- 10:13:38 - <Co

This file has been truncated. Go here to download in full.


packet_stats.log - (23491 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6           215          4795020      230651872     140099003         30.1b   68.97
 IPv4      17           107         12241658      215818068      89844769          9.6b   22.01
 IPv6       6            14        109939056      159121720     116627482          1.6b    3.74
 IPv6      17            17         14706576      121367064      86632300          1.5b    3.37
 IPv6      58            10         18088120      123203414      83585573        835.9m    1.91
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6           215           115180       25523118        811839        174.5m   74.97
TMM_FLOWWORKER              IPv4      17           107           281034        1246000        393381         42.1m   18.08
TMM_RECEIVEPCAPFILE         IPv4       6           203             4442           7968          4928          1.0m    0.43
TMM_RECEIVEPCAPFILE         IPv4      17           107             4432          11354          5223        558.9k    0.24
TMM_DECODEPCAPFILE          IPv4       6           203             4562          18638          5061          1.0m    0.44
TMM_DECODEPCAPFILE          IPv4      17           107             4566          36230          5091        544.8k    0.23
TMM_FLOWWORKER              IPv6       6            14           131232        1352936        352158          4.9m    2.12
TMM_FLOWWORKER              IPv6      17            17           298534         614032        365251          6.2m    2.67
TMM_FLOWWORKER              IPv6      58            10           133310         171046        148675          1.5m    0.64
TMM_RECEIVEPCAPFILE         IPv6       6            14             4486           5962          4871         68.2k    0.03
TMM_RECEIVEPCAPFILE         IPv6      17            17             4636           5726          5145         87.5k    0.04
TMM_RECEIVEPCAPFILE         IPv6      58            10             4554           4946          4744         47.4k    0.02
TMM_DECODEPCAPFILE          IPv6       6            14             4588           5546          4810         67.3k    0.03
TMM_DECODEPCAPFILE          IPv6      17            17             4640          18856          5704         97.0k    0.04
TMM_DECODEPCAPFILE          IPv6      58            10             4678          12120          5606         56.1k    0.02

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6           203             4782         144682          6493          1.3m  0.64  
flow                    IPv4      17           107             4770          31496          6782        725.7k  0.35  
stream                  IPv4       6           215             4508       25310380        143265         30.8m  14.97 
app-layer               IPv4      17           107             4440          54688          9265        991.4k  0.48  
detect                  IPv4       6           215            77312       12347608        563728        121.2m  58.92 
detect                  IPv4      17           107           252104        1126068        354985         38.0m  18.46 
tcp-prune               IPv4       6           215             4446          30258          5430          1.2m  0.57  
flow                    IPv6       6            14             4984           6918          5391         75.5k  0.04  
flow                    IPv6      17            17             4802          58272         10396        176.7k  0.09  
flow                    IPv6      58            10             5242          17928          9092         90.9k  0.04  
stream                  IPv6       6            14             4932         110690         21247        297.5k  0.14  
app-layer               IPv6      17            17             4436          20622          9453        160.7k  0.08  
detect                  IPv6       6            14            92610        1130376        276895          3.9m  1.88  
detect                  IPv6      17            17           268398         560708        325369          5.5m  2.69  
detect                  IPv6      58            10           114182         143348        125216          1.3m  0.61  
tcp-prune               IPv6       6            14             4488           5360          4735         66.3k  0.03  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            25             5218          27718          7959        199.0k  50.21 
http                    IPv4      17            21             5758           8974          6117        128.5k  32.42 
dns                     IPv4      17             4             8454          13206          9934         39.7k  10.03 
http                    IPv6       6             1             6068           6068          6068          6.1k  1.53  
http                    IPv6      17             4             5758           5772          5765         23.1k  5.82  
Proto detect            IPv4      17            34             4598          40460          8049        273.7k
Proto detect            IPv6      17             6             4750           6448          5524         33.1k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            22            27188         309464         52092          1.1m  12.03 
LOGGER_UNIFIED2             IPv4       6            22            36032         180432         56933          1.3m  13.14 
LOGGER_JSON_ALERT           IPv4       6            22            75530         134184         98789          2.2m  22.81 
LOGGER_JSON_DNS             IPv4      17             4            47248          65570         56142        224.6k  2.36  
LOGGER_JSON_HTTP            IPv4       6            17            36890          78996         53732        913.5k  9.58  
LOGGER_JSON_FILE            IPv4       6            34            46860         948736        105950          3.6m  37.80 
LOGGER_JSON_HTTP            IPv6       6             1            56272          56272         56272         56.3k  0.59  
LOGGER_JSON_FILE            IPv6       6             2            60332         101276         80804        161.6k  1.70  

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6           107             4484         422774         38395         4.1m  18.59 
payload                           IPv4      17           107             9450         243812         39429         4.2m  19.09 
stream                            IPv4       6           107             4434         897566         54376         5.8m  26.33 
http_uri                          IPv4       6            17             9886          76638         23043       391.7k  1.77  
http_request_line                 IPv4       6            17             6220          23214          8820       150.0k  0.68  
http_client_body                  IPv4       6            28             4648         206958         31036       869.0k  3.93  
http_header (request)             IPv4       6            17            26356         137872         58003       986.1k  4.46  
http_header (request trailer)     IPv4       6            17             4506          21916          6406       108.9k  0.49  
http_header_names (request)       IPv4       6            17            10964          60368         24577       417.8k  1.89  
http_accept (request)             IPv4       6            17             5028          17266          6110       103.9k  0.47  
http_referer (request)            IPv4       6            17             4842          22014          6029       102.5k  0.46  
http_content_len (request)        IPv4       6            17             5564          22924          7502       127.5k  0.58  
http_content_type (request)       IPv4       6            17             5854          10066          7857       133.6k  0.60  
http_protocol (request)           IPv4       6            17             5484           7250          6521       110.9k  0.50  
http_start (request)              IPv4       6            17             9116          25922         13523       229.9k  1.04  
http_raw_header (request)         IPv4       6            28             6432          27764         13253       371.1k  1.68  
http_method                       IPv4       6            17             5728           9196          7046       119.8k  0.54  
http_cookie (request)             IPv4       6            17             4988          11886          5569        94.7k  0.43  
http_raw_uri                      IPv4       6            17             5280          24184          7782       132.3k  0.60  
http_user_agent                   IPv4       6            17             5996          21756         11190       190.2k  0.86  
http_host                         IPv4       6            17             5620           9502          7520       127.9k  0.58  
dns_query                         IPv4      17             2            12028          25878         18953        37.9k  0.17  
http_response_line                IPv4       6            17             5224          12344          7672       130.4k  0.59  
http_header (response)            IPv4       6            17             7684         120508         27424       466.2k  2.11  
http_header (response trailer)    IPv4       6            17             4472          20938          5526        93.9k  0.43  
http_content_type (response)      IPv4       6            17             5216          11776          8015       136.3k  0.62  
http_raw_header (response)        IPv4       6            26             6050          36322         10735       279.1k  1.26  
http_cookie (response)            IPv4       6            17             4678           5470          4929        83.8k  0.38  
http_stat_code                    IPv4       6            17             4680           8868          5703        97.0k  0.44  
file_data (http response)         IPv4       6             9             4778          23688          7403        66.6k  0.30  
Total                             IPv4                   788                                         25767        20.3m
payload                           IPv6       6             7             4680          84492         45270       316.9k  1.43  
payload                           IPv6      17            17            14536          67824         31963       543.4k  2.46  
payload                           IPv6      58            10             4824          11038          7085        70.9k  0.32  
stream                            IPv6       6             7             4452         192576         65976       461.8k  2.09  
http_uri                          IPv6       6             1            42232          42232         42232        42.2k  0.19  
http_request_line                 IPv6       6             1             9430           9430          9430         9.4k  0.04  
http_client_body                  IPv6       6             1            83126          83126         83126        83.1k  0.38  
http_header (request)             IPv6       6             1            49816          49816         49816        49.8k  0.23  
http_header (request trailer)     IPv6       6             1             4588           4588          4588         4.6k  0.02  
http_header_names (request)       IPv6       6             1            29986          29986         29986        30.0k  0.14  
http_accept (request)             IPv6       6             1             5780           5780          5780         5.8k  0.03  
http_referer (request)            IPv6       6             1             4914           4914          4914         4.9k  0.02  
http_content_len (request)        IPv6       6             1             6126           6126          6126         6.1k  0.03  
http_content_type (request)       IPv6       6             1             7552           7552          7552         7.6k  0.03  
http_protocol (request)           IPv6       6             1             7362           7362          7362         7.4k  0.03  
http_start (request)              IPv6       6             1            15558          15558         15558        15.6k  0.07  
http_raw_header (request)         IPv6       6             1            20746          20746         20746        20.7k  0.09  
http_method                       IPv6       6             1             7546           7546          7546         7.5k  0.03  
http_cookie (request)             IPv6       6             1             5166           5166          5166         5.2k  0.02  
http_raw_uri                      IPv6       6             1             6402           6402          6402         6.4k  0.03  
http_user_agent                   IPv6       6             1             8472           8472          8472         8.5k  0.04  
http_host                         IPv6       6             1             9266           9266          9266         9.3k  0.04  
http_response_line                IPv6       6             1             8066           8066          8066         8.1k  0.04  
http_header (response)            IPv6       6             1            22848          22848         22848        22.8k  0.10  
http_header (response trailer)    IPv6       6             1             4542           4542          4542         4.5k  0.02  
http_content_type (response)      IPv6       6             1             8044           8044          8044         8.0k  0.04  
http_raw_header (response)        IPv6       6             2             6716          11130          8923        17.8k  0.08  
http_cookie (response)            IPv6       6             1             4998           4998          4998         5.0k  0.02  
http_stat_code                    IPv6       6             1             6086           6086          6086         6.1k  0.03  
file_data (http response)         IPv6       6             1             4968           4968          4968         5.0k  0.02  
Total                             IPv6                    68                                         26388         1.8m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6            36             6960          98234         41870          1.5m  0.68  
PROF_DETECT_IPONLY          IPv4      17            34            14244         423110         65625          2.2m  1.01  
PROF_DETECT_RULES           IPv4       6           215             4428       11540426        339562         73.0m  33.12 
PROF_DETECT_RULES           IPv4      17   

This file has been truncated. Go here to download in full.


stats.log - (3152 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 9/16/2019 -- 10:13:39 (uptime: 0d, 00h 00m 01s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 392
decoder.bytes                              | Total                     | 203093
decoder.ipv4                               | Total                     | 310
decoder.ipv6                               | Total                     | 41
decoder.ethernet                           | Total                     | 392
decoder.tcp                                | Total                     | 217
decoder.udp                                | Total                     | 124
decoder.icmpv6                             | Total                     | 10
decoder.avg_pkt_size                       | Total                     | 518
decoder.max_pkt_size                       | Total                     | 1514
flow.tcp                                   | Total                     | 21
flow.udp                                   | Total                     | 38
flow.icmpv6                                | Total                     | 10
tcp.sessions                               | Total                     | 18
tcp.syn                                    | Total                     | 18
tcp.synack                                 | Total                     | 18
tcp.rst                                    | Total                     | 12
detect.alert                               | Total                     | 55
detect.mpm_list                            | Total                     | 10
detect.nonmpm_list                         | Total                     | 2
detect.fnonmpm_list                        | Total                     | 1
detect.match_list                          | Total                     | 11
app_layer.flow.http                        | Total                     | 18
app_layer.tx.http                          | Total                     | 18
app_layer.flow.dns_udp                     | Total                     | 2
app_layer.tx.dns_udp                       | Total                     | 2
app_layer.flow.failed_udp                  | Total                     | 36
flow.spare                                 | Total                     | 10000
flow_mgr.flows_checked                     | Total                     | 15
flow_mgr.flows_notimeout                   | Total                     | 15
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_empty                        | Total                     | 65522
flow_mgr.rows_maxlen                       | Total                     | 2
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7078624


eve.json - (52012 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{"timestamp":"2019-08-27T13:33:58.068291+0000","flow_id":1958422161850306,"pcap_cnt":48,"event_type":"fileinfo","src_ip":"192.168.240.34","src_port":49245,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:33:58.068432+0000","flow_id":863057324933430,"pcap_cnt":50,"event_type":"fileinfo","src_ip":"192.168.240.91","src_port":49307,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:33:58.068803+0000","flow_id":1958422161850306,"pcap_cnt":52,"event_type":"http","src_ip":"192.168.240.34","src_port":49245,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:33:58.068804+0000","flow_id":863057324933430,"pcap_cnt":53,"event_type":"http","src_ip":"192.168.240.91","src_port":49307,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:33:58.069751+0000","flow_id":1958422161850306,"pcap_cnt":56,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":5357,"dest_ip":"192.168.240.34","dest_port":49245,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:33:58.070027+0000","flow_id":863057324933430,"pcap_cnt":58,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":5357,"dest_ip":"192.168.240.91","dest_port":49307,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:33:58.643164+0000","flow_id":232012812568615,"pcap_cnt":99,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":49588,"dest_ip":"192.168.240.210","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:33:58.643468+0000","flow_id":232012812568615,"pcap_cnt":101,"event_type":"http","src_ip":"192.168.240.209","src_port":49588,"dest_ip":"192.168.240.210","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:33:58.644848+0000","flow_id":232012812568615,"pcap_cnt":103,"event_type":"fileinfo","src_ip":"192.168.240.210","src_port":5357,"dest_ip":"192.168.240.209","dest_port":49588,"proto":"TCP","http":{"hostname":"192.168.240.210","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:02.319378+0000","flow_id":918531122924333,"pcap_cnt":152,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":49589,"dest_ip":"192.168.240.233","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.233","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:02.319510+0000","flow_id":918531122924333,"pcap_cnt":154,"event_type":"http","src_ip":"192.168.240.209","src_port":49589,"dest_ip":"192.168.240.233","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.233","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:34:02.321040+0000","flow_id":918531122924333,"pcap_cnt":156,"event_type":"fileinfo","src_ip":"192.168.240.233","src_port":5357,"dest_ip":"192.168.240.209","dest_port":49589,"proto":"TCP","http":{"hostname":"192.168.240.233","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:04.158547+0000","flow_id":2170262834143027,"pcap_cnt":212,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:8dfa:a108:65dd:f95f","src_port":49251,"dest_ip":"fe80:0000:0000:0000:c4c2:d19e:37f5:71b7","dest_port":5357,"proto":"TCP","http":{"hostname":"[fe80::c4c2:d19e:37f5:71b7]","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2718},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:04.158818+0000","flow_id":2170262834143027,"pcap_cnt":214,"event_type":"http","src_ip":"fe80:0000:0000:0000:8dfa:a108:65dd:f95f","src_port":49251,"dest_ip":"fe80:0000:0000:0000:c4c2:d19e:37f5:71b7","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"[fe80::c4c2:d19e:37f5:71b7]","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:34:04.159664+0000","flow_id":942748296046274,"pcap_cnt":217,"event_type":"fileinfo","src_ip":"192.168.240.34","src_port":49246,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":2758},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":733,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:04.159985+0000","flow_id":942748296046274,"pcap_cnt":219,"event_type":"http","src_ip":"192.168.240.34","src_port":49246,"dest_ip":"192.168.240.209","dest_port":5357,"proto":"TCP","tx_id":0,"http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml"}}
{"timestamp":"2019-08-27T13:34:04.160033+0000","flow_id":2170262834143027,"pcap_cnt":221,"event_type":"fileinfo","src_ip":"fe80:0000:0000:0000:c4c2:d19e:37f5:71b7","src_port":5357,"dest_ip":"fe80:0000:0000:0000:8dfa:a108:65dd:f95f","dest_port":49251,"proto":"TCP","http":{"hostname":"[fe80::c4c2:d19e:37f5:71b7]","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:04.161279+0000","flow_id":942748296046274,"pcap_cnt":223,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":5357,"dest_ip":"192.168.240.34","dest_port":49246,"proto":"TCP","http":{"hostname":"192.168.240.209","url":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","http_user_agent":"WSDAPI","http_content_type":"application\/soap+xml","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":3999},"app_proto":"http","fileinfo":{"filename":"\/733c94c5-cebb-4f98-a75f-22a797d1d50b\/","gaps":false,"state":"CLOSED","stored":false,"size":3999,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:19.764289+0000","flow_id":1627402591250817,"pcap_cnt":238,"event_type":"dns","src_ip":"192.168.240.209","src_port":50708,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48256,"rrname":"devworkserver.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-08-27T13:34:19.773631+0000","flow_id":1627402591250817,"pcap_cnt":239,"event_type":"dns","src_ip":"8.8.8.8","src_port":53,"dest_ip":"192.168.240.209","dest_port":50708,"proto":"UDP","dns":{"type":"answer","id":48256,"rcode":"NOERROR","rrname":"devworkserver.com","rrtype":"A","ttl":135,"rdata":"205.134.251.165"}}
{"timestamp":"2019-08-27T13:34:19.833333+0000","flow_id":757811300237521,"pcap_cnt":245,"event_type":"alert","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021641,"rev":6,"signature":"ET TROJAN LokiBot User-Agent (Charon\/Inferno)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-08-27T13:34:19.833333+0000","flow_id":757811300237521,"pcap_cnt":245,"event_type":"alert","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2025381,"rev":4,"signature":"ET TROJAN LokiBot Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.388329+0000","flow_id":757811300237521,"pcap_cnt":248,"event_type":"alert","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024312,"rev":3,"signature":"ET TROJAN LokiBot Application\/Credential Data Exfiltration Detected M1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-08-27T13:34:21.388329+0000","flow_id":757811300237521,"pcap_cnt":248,"event_type":"alert","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024317,"rev":3,"signature":"ET TROJAN LokiBot Application\/Credential Data Exfiltration Detected M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.388329+0000","flow_id":757811300237521,"pcap_cnt":248,"event_type":"alert","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2825766,"rev":3,"signature":"ETPRO TROJAN LokiBot Checkin M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.388329+0000","flow_id":757811300237521,"pcap_cnt":248,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","http":{"hostname":"devworkserver.com","url":"\/mercy\/five\/fre.php","http_user_agent":"Mozilla\/4.08 (Charon; Inferno)","http_method":"POST","protocol":"HTTP\/1.0","length":0},"app_proto":"http","fileinfo":{"filename":"\/mercy\/five\/fre.php","gaps":false,"state":"CLOSED","stored":false,"size":192,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:19.934668+0000","flow_id":757811300237521,"pcap_cnt":250,"event_type":"http","src_ip":"192.168.240.209","src_port":49590,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"devworkserver.com","url":"\/mercy\/five\/fre.php","http_user_agent":"Mozilla\/4.08 (Charon; Inferno)","http_content_type":"text\/html"}}
{"timestamp":"2019-08-27T13:34:19.934881+0000","flow_id":757811300237521,"pcap_cnt":251,"event_type":"fileinfo","src_ip":"205.134.251.165","src_port":80,"dest_ip":"192.168.240.209","dest_port":49590,"proto":"TCP","http":{"hostname":"devworkserver.com","url":"\/mercy\/five\/fre.php","http_user_agent":"Mozilla\/4.08 (Charon; Inferno)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":404,"length":15},"app_proto":"http","fileinfo":{"filename":"\/mercy\/five\/fre.php","gaps":false,"state":"CLOSED","stored":false,"size":15,"tx_id":0}}
{"timestamp":"2019-08-27T13:34:20.078285+0000","flow_id":1259051163638831,"pcap_cnt":257,"event_type":"alert","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021641,"rev":6,"signature":"ET TROJAN LokiBot User-Agent (Charon\/Inferno)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-08-27T13:34:20.078285+0000","flow_id":1259051163638831,"pcap_cnt":257,"event_type":"alert","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2025381,"rev":4,"signature":"ET TROJAN LokiBot Checkin","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.682239+0000","flow_id":1259051163638831,"pcap_cnt":260,"event_type":"alert","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024312,"rev":3,"signature":"ET TROJAN LokiBot Application\/Credential Data Exfiltration Detected M1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2019-08-27T13:34:21.682239+0000","flow_id":1259051163638831,"pcap_cnt":260,"event_type":"alert","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2024317,"rev":3,"signature":"ET TROJAN LokiBot Application\/Credential Data Exfiltration Detected M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.682239+0000","flow_id":1259051163638831,"pcap_cnt":260,"event_type":"alert","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","app_proto":"http","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2825766,"rev":3,"signature":"ETPRO TROJAN LokiBot Checkin M2","category":"A Network Trojan was detected","severity":1}}
{"timestamp":"2019-08-27T13:34:21.682239+0000","flow_id":1259051163638831,"pcap_cnt":260,"event_type":"fileinfo","src_ip":"192.168.240.209","src_port":49591,"dest_ip":"205.134.251.165","dest_port":80,"proto":"TCP","http":{"hostname":"devworkserver.com","url":"\/mercy\/five\/fre.php","http_user_agent":"Mozilla\/4.08 (Charon; Inferno)","http_method":"POST","protocol":"HTTP\/1.0","lengt

This file has been truncated. Go here to download in full.


keyword_perf.log - (12791 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 9/16/2019 -- 10:13:39
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             5235546         977             977             34958           5358.00         5358.00         0.00           
  content          18939914        2095            1199            6937042         9040.00         5859.00         13297.00       
  pcre             1926026         249             165             49540           7735.00         7320.00         8548.00        
  byte_test        118574          20              8               21876           5928.00         7535.00         4857.00        
  isdataat         9526            2               0               4774            4763.00         0.00            4763.00        
  flowbits         303852          47              20              36258           6464.00         7477.00         5715.00        
  urilen           416172          79              18              20882           5268.00         5405.00         5227.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             5235546         977             977             34958           5358.00         5358.00         0.00           
  flowbits         243732          38              11              36258           6414.00         8129.00         5715.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1484540         273             92              37286           5437.00         5642.00         5334.00        
  byte_test        118574          20              8               21876           5928.00         7535.00         4857.00        
  isdataat         9526            2               0               4774            4763.00         0.00            4763.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         60120           9               9               13882           6680.00         6680.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2075072         356             249             24990           5828.00         5820.00         5848.00        
  pcre             880478          116             88              49540           7590.00         7146.00         8984.00        
  urilen           416172          79              18              20882           5268.00         5405.00         5227.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1192232         192             34              26492           6209.00         7617.00         5906.00        
  pcre             149596          22              22              17994           6799.00         6799.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          74202           15              0               6312            4946.00         0.00            4946.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          22520           4               0               5968            5630.00         0.00            5630.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3800926         626             390             138536          6071.00         6258.00         5763.00        
  pcre             895952          111             55              33446           8071.00         7807.00         8331.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7368810         78              28              6937042         94471.00        5537.00         144275.00      
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_connection
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          29464           6               0               4944            4910.00         0.00            4910.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          187638          33              22              21090           5686.00         5813.00         5430.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          148516          22              22              38050           6750.00         6750.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1606206         303             281             27614           5301.00         5302.00         5284.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          844486          165             77              21052           5118.00         5391.00         4878.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          105302          22              4               5714            4786.00         5234.00         4687.00        


suricata-4.0.0-etpro-all-perf.txt-2019-09-16-T-10-13-39-09162019.1013-network_2.pcap.txt - (28630 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 9/16/2019 -- 10:13:39. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2807970      1        8        7699910      10.14  11       0        7020760     699991.82   0.00        699991.82  
  2        2022679      1        4        766618       1.01   11       0        194240      69692.55    0.00        69692.55   
  3        2022901      1        2        823322       1.08   11       0        136326      74847.45    0.00        74847.45   
  4        2023613      1        3        698882       0.92   119      0        134700      5872.96     0.00        5872.96    
  5        2024313      1        4        907212       1.19   22       9        111712      41236.91    39880.67    42175.85   
  6        2809363      1        3        788486       1.04   11       0        103522      71680.55    0.00        71680.55   
  7        2017261      1        3        914872       1.20   11       0        102544      83170.18    0.00        83170.18   
  8        2815481      1        6        413032       0.54   7        0        100288      59004.57    0.00        59004.57   
  9        2024317      1        3        1111276      1.46   22       2        100230      50512.55    25761.00    52987.70   
  10       2025381      1        4        887252       1.17   11       11       98936       80659.27    80659.27    0.00       
  11       2014411      1        11       861090       1.13   11       0        93938       78280.91    0.00        78280.91   
  12       2024318      1        3        1120680      1.48   22       9        91362       50940.00    25606.89    68478.31   
  13       2024319      1        3        1020208      1.34   22       0        90046       46373.09    0.00        46373.09   
  14       2811394      1        2        653358       0.86   11       0        88836       59396.18    0.00        59396.18   
  15       2819881      1        2        676198       0.89   11       0        85636       61472.55    0.00        61472.55   
  16       2021418      1        9        761446       1.00   11       0        84692       69222.36    0.00        69222.36   
  17       2825766      1        3        880678       1.16   22       11       82714       40030.82    15486.36    64575.27   
  18       2811447      1        2        715624       0.94   14       0        82376       51116.00    0.00        51116.00   
  19       2815568      1        2        553562       0.73   11       0        81960       50323.82    0.00        50323.82   
  20       2821471      1        2        738140       0.97   11       0        81210       67103.64    0.00        67103.64   
  21       2821569      1        7        630684       0.83   11       0        80278       57334.91    0.00        57334.91   
  22       2809511      1        4        659950       0.87   11       0        80268       59995.45    0.00        59995.45   
  23       2830613      1        2        554672       0.73   11       0        77546       50424.73    0.00        50424.73   
  24       2820983      1        5        631204       0.83   11       0        76830       57382.18    0.00        57382.18   
  25       2021413      1        2        626242       0.82   11       0        75536       56931.09    0.00        56931.09   
  26       2021605      1        4        807124       1.06   22       0        75182       36687.45    0.00        36687.45   
  27       2021067      1        2        312622       0.41   6        0        74358       52103.67    0.00        52103.67   
  28       2024848      1        2        357570       0.47   7        0        73352       51081.43    0.00        51081.43   
  29       2821561      1        2        360262       0.47   7        0        73336       51466.00    0.00        51466.00   
  30       2816669      1        4        391736       0.52   7        0        72990       55962.29    0.00        55962.29   
  31       2816356      1        2        652690       0.86   11       0        72900       59335.45    0.00        59335.45   
  32       2019094      1        5        822886       1.08   22       0        72730       37403.91    0.00        37403.91   
  33       2820309      1        2        272700       0.36   7        0        72156       38957.14    0.00        38957.14   
  34       2812433      1        2        641112       0.84   11       0        72106       58282.91    0.00        58282.91   
  35       2025142      1        2        422592       0.56   7        0        71282       60370.29    0.00        60370.29   
  36       2016706      1        20       422534       0.56   11       0        70722       38412.18    0.00        38412.18   
  37       2815363      1        3        605124       0.80   11       0        68742       55011.27    0.00        55011.27   
  38       2019155      1        2        296794       0.39   7        0        67660       42399.14    0.00        42399.14   
  39       2807793      1        4        520746       0.69   11       0        67184       47340.55    0.00        47340.55   
  40       2020181      1        8        617446       0.81   11       0        66432       56131.45    0.00        56131.45   
  41       2811711      1        2        242416       0.32   7        0        66414       34630.86    0.00        34630.86   
  42       2815754      1        2        345366       0.45   7        0        66294       49338.00    0.00        49338.00   
  43       2024315      1        3        691566       0.91   22       0        64716       31434.82    0.00        31434.82   
  44       2020705      1        4        429034       0.57   11       0        63192       39003.09    0.00        39003.09   
  45       2828008      1        2        558638       0.74   18       0        62552       31035.44    0.00        31035.44   
  46       2811280      1        7        305576       0.40   7        0        62114       43653.71    0.00        43653.71   
  47       2809816      1        2        293350       0.39   7        0        61870       41907.14    0.00        41907.14   
  48       2017552      1        6        1557148      2.05   54       0        61656       28836.07    0.00        28836.07   
  49       2015877      1        6        564542       0.74   11       0        60794       51322.00    0.00        51322.00   
  50       2806873      1        4        496546       0.65   11       0        60556       45140.55    0.00        45140.55   
  51       2828060      1        4        521316       0.69   11       0        60356       47392.36    0.00        47392.36   
  52       2012612      1        16       527290       0.69   11       0        59924       47935.45    0.00        47935.45   
  53       2809682      1        5        425218       0.56   11       0        59510       38656.18    0.00        38656.18   
  54       2024311      1        3        675842       0.89   22       0        59368       30720.09    0.00        30720.09   
  55       2821148      1        4        292992       0.39   7        0        59314       41856.00    0.00        41856.00   
  56       2024312      1        3        698818       0.92   22       2        59298       31764.45    41983.00    30742.60   
  57       2824971      1        3        431288       0.57   11       0        59260       39208.00    0.00        39208.00   
  58       2828986      1        2        550824       0.73   13       0        59064       42371.08    0.00        42371.08   
  59       2829848      1        2        520320       0.69   13       0        58312       40024.62    0.00        40024.62   
  60       2804626      1        9        393562       0.52   11       0        58244       35778.36    0.00        35778.36   
  61       2827279      1        5        543258       0.72   18       0        58090       30181.00    0.00        30181.00   
  62       2024314      1        3        647086       0.85   22       0        57738       29413.00    0.00        29413.00   
  63       2827580      1        7        528244       0.70   18       0        57110       29346.89    0.00        29346.89   
  64       2022132      1        1        324118       0.43   22       0        56782       14732.64    0.00        14732.64   
  65       2816165      1        5        749110       0.99   18       0        56696       41617.22    0.00        41617.22   
  66       2022197      1        3        279192       0.37   6        0        56692       46532.00    0.00        46532.00   
  67       2810084      1        2        92822        0.12   2        0        56658       46411.00    0.00        46411.00   
  68       2807856      1        2        479442       0.63   22       0        55990       21792.82    0.00        21792.82   
  69       2823858      1        3        503116       0.66   11       0        55666       45737.82    0.00        45737.82   
  70       2016537      1        2        997598       1.31   36       0        54850       27711.06    0.00        27711.06   
  71       2022502      1        4        392584       0.52   11       0        54566       35689.45    0.00        35689.45   
  72       2014701      1        12       101208       0.13   4        0        54044       25302.00    0.00        25302.00   
  73       2809547      1        5        396420       0.52   11       0        53824       36038.18    0.00        36038.18   
  74       2812141      1        2        489742       0.65   11       0        53404       44522.00    0.00        44522.00   
  75       2824781      1        3        396386       0.52   11       0        51336       36035.09    0.00        36035.09   
  76       2014133      1        4        232172       0.31   7        0        50690       33167.43    0.00        33167.43   
  77       2024513      1        5        280712       0.37   11       0        50390       25519.27    0.00        25519.27   
  78       2806921      1        3        227684       0.30   7        0        50120       32526.29    0.00        32526.29   
  79       2014380      1        4        781246       1.03   36       0        49502       21701.28    0.00        21701.28   
  80       2012707      1        5        544438       0.72   16       0        48464       34027.38    0.00        34027.38   
  81       2016809      1        5        379870       0.50   11       0        48306       34533.64    0.00        34533.64   
  82       2805260      1        4        391978       0.52   11       0        48202       35634.36    0.00        35634.36   
  83       2830036      1        1        225862       0.30   7        0        46576       32266.00    0.00        32266.00   
  84       2828212      1        2        224020       0.30   7        0        46108       32002.86    0.00        32002.86   
  85       2017948      1        2        661828       0.87   22       0        45894       30083.09    0.00        30083.09   
  86       2003492      1        30       380670       0.50   11       0        45878       34606.36    0.00        34606.36   
  87       2023619      1        3        581354       0.77   117      0        44818       4968.84     0.00        4968.84    
  88       2024316      1        3        644772       0.85   22       0        44226       29307.82    0.00        29307.82   
  89       2023618      1        3        618376       0.81   116      0        43886       5330.83     0.00        5330.83    
  90       2807925      1        1        298544       0.39   14       0        43412       21324.57    0.00        21324.57   
  91       2021641      1        6        384208       0.51   11       11       42006       34928.00    34928.00    0.00       
  92       2811544      1        1        78996        0.10   4        0        41926       19749.00    0.00        19749.00   
  93       2816899      1        2        371080       0.49   11       0        40840       33734.55    0.00        33734.55   
  94       2819882      1        2        244906       0.32   11       0        39708       22264.18    0.00        22264.18   
  95       2815451      1        2        460958       0.61   22       0        38998       20952.64    0.00        20952.64   
  96       2816394      1        2        224272       0.30   7        0        38060       32038.86    0.00        32038.86   
  97       2816855      1        3        379874       0.50   11       0        38042       34534.00    0.00        34534.00   
  98       2014704      1        7        219224       0.29   7        0        37276       31317.71    0.00        31317.71   
  99       2826256      1        2        584294       0.77   18       0        36150       32460.78    0.00        32460.78   
  100      2014967      1        3        366768       0.48   11       0        35532       33342.55    0.00        33342.55   
  101      2826281      1        2        61504        0.08   2        0        35434       30752.00    0.00        30752.00   
  102      2024606      1        2        365850       0.48   11       0        34944       33259.09    0.00        33259.09   
  103      2020936      1        3        211190       0.28   7        0        34906       30170.00    0.00        30170.00   
  104      2806959      1        2        210348       0.28   7        0        34732       30049.71    0.00        30049.71   
  105      2016223      1        10       368074       0.48   11       0        34682       33461.27    0.00        33461.27   
  106      2823937      1        13       222300       0.29   11       0        28304       20209.09    0.00        20209.09   
  107      2828748      1        2        106716       0.14   18       0        28008       5928.67     0.00        5928.67    
  108      2023612      1        4        563278       0.74   120      0        27928       4693.98     0.00        4693.98    
  109      2023620      1        3        566150       0.75   116      0        26606       4880.60     0.00        4880.60    
  110      2022543      1        1        51470        0.07   2        0        26016       25735.00    0.00        25735.00   
  111      2803760      1        3        51450        0.07   2        0        25894       25725.00    0.00        25725.00   
  112      2023617      1        3        561806       0.74   120      0        25494       4681.72     0.00        4681.72    
  113      2807926      1        3        250660       0.33   14       0        25140       17904.29    0.00        17904.29   
  114      2014703      1        9        58156        0.08   4        0        25040       14539.00    0.00        14539.00   
  115      2019230      1        2        59446        0.08   4        0        24730       14861.50    0.00        14861.50   
  116      2811577      1        2        58626        0.08   4        0        24230       14656.50    0.00        14656.50   
  117      2014702      1        9        56868        0.07   4        0        24010       14217.00    0.00        14217.00   
  118      2023623      1        3        575800       0.76   117      0        23090       4921.37     0.00        4921.37    
  119      2013739      1        15       552824       0.73   117      0        22814       4724.99     0.00        4724.99    
  120      2823788      1        4        28438        0.04   2        0        22636       14219.00    0.00        14219.00   
  121      2807546      1        6        70948        0.09   11       0        22358       6449.82     0.00        6449.82    
  122      2023622      1        3        592402       0.78   120      0        22328       4936.68     0.00        4936.68    
  123      2103239      1        4        70590        0.09   11       0        22214       6417.27     0.00        6417.27    
  124      2103159      1        4        70518        0.09   11       0        21462       6410.73     0.00        6410.73    
  125      2805442      1        2        5

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1149 bytes) - download
1
2
3
4
5
6
7
8
2019-09-16 10:13:15,118 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-09-16 10:13:15,886 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-09-16 10:13:15,886 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-09-16 10:13:15,886 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-09-16 10:13:15,886 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-09-16 10:13:15,887 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/fe4a2d55894ae34e5348ffd1bc2e53a956b33745cb75ec8c950e11a498e082d2 -r /var/pcap/09162019.1013-network_2.pcap -vvv -k none
2019-09-16 10:13:39,346 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-09-16 10:13:39,347 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 24.2373001575