API tools faq
paste
Advertisement
travisbgreen

Untitled

travisbgreen
May 18th, 2019
163
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.99 KB | None | 0 0
raw download clone embed print report
  1. training@SuricataThreatHunting:~$ ls -l
  2. total 80
  3. drwxr-xr-x 2 training training 4096 Mar 12 22:21 Desktop
  4. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Documents
  5. drwxr-xr-x 2 training training 4096 Mar 18 22:12 Downloads
  6. -rw-r--r-- 1 training training 35147 Jul 16 2018 LICENSE
  7. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Public
  8. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Videos
  9. drwxr-xr-x 7 training training 4096 Mar 21 20:39 exercises
  10. -rwxr-xr-x 1 training training 705 Dec 27 20:59 reset_dashboards.sh
  11. -rw-r--r-- 1 training training 544 Feb 9 21:13 sigdev.rules
  12. drwxr-xr-x 2 training training 4096 Apr 10 22:15 slides
  13. -rwxr-xr-x 1 training training 2461 May 19 03:00 suri.sh
  14. drwxr-xr-x 2 root root 4096 May 17 08:38 vmexportprep
  15. training@SuricataThreatHunting:~$ ls -l /var/log/suricata/
  16. total 16
  17. drwxr-xr-x 2 logstash logstash 4096 Dec 16 21:15 StatsByDate
  18. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 certs
  19. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 core
  20. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 files
  21. training@SuricataThreatHunting:~$ sudo ./suri.sh ./exercises/pcaps/eod_exercise-1.pcap
  22. ingesting into moloch with tag eod_exercise-1.pcap
  23. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:255) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks5-addin.yaml.
  24. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'default-rule-path' redefined.
  25. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'rule-files' redefined.
  26. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'classification-file' redefined.
  27. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'reference-config-file' redefined.
  28. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'detect' redefined.
  29. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'default-log-dir' redefined.
  30. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'stats' redefined.
  31. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'outputs' redefined.
  32. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'logging' redefined.
  33. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'app-layer' redefined.
  34. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'asn1-max-frames' redefined.
  35. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:255) <Info> (ConfYamlParse) -- Including configuration file /etc/suricata/selks5-interfaces-config.yaml.
  36. [9308] 19/5/2019 -- 03:10:04 - (conf-yaml-loader.c:279) <Info> (ConfYamlParse) -- Configuration node 'af-packet' redefined.
  37. [9308] 19/5/2019 -- 03:10:04 - (suricata.c:1067) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (rev cc492c50c) running in USER mode
  38. [9308] 19/5/2019 -- 03:10:04 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 2
  39. [9308] 19/5/2019 -- 03:10:04 - (util-luajit.c:98) <Config> (LuajitSetupStatesPool) -- luajit states preallocated: 128
  40. [9308] 19/5/2019 -- 03:10:04 - (app-layer-htp.c:2329) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33981 and 'request-body-inspect-window' set to 4191 after randomization.
  41. [9308] 19/5/2019 -- 03:10:04 - (app-layer-htp.c:2347) <Config> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 41368 and 'response-body-inspect-window' set to 15834 after randomization.
  42. [9308] 19/5/2019 -- 03:10:04 - (app-layer-smb.c:337) <Config> (RegisterSMBParsers) -- SMB stream depth: 0
  43. [9308] 19/5/2019 -- 03:10:04 - (app-layer-modbus.c:1503) <Config> (RegisterModbusParsers) -- Modbus request flood protection level: 500
  44. [9308] 19/5/2019 -- 03:10:04 - (app-layer-modbus.c:1514) <Config> (RegisterModbusParsers) -- Modbus stream depth: 0
  45. [9308] 19/5/2019 -- 03:10:04 - (app-layer-dnp3.c:1628) <Config> (RegisterDNP3Parsers) -- Registering DNP3/tcp parsers.
  46. [9308] 19/5/2019 -- 03:10:04 - (host.c:254) <Config> (HostInitConfig) -- allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
  47. [9308] 19/5/2019 -- 03:10:04 - (host.c:277) <Config> (HostInitConfig) -- preallocated 1000 hosts of size 136
  48. [9308] 19/5/2019 -- 03:10:04 - (host.c:279) <Config> (HostInitConfig) -- host memory usage: 398144 bytes, maximum: 33554432
  49. [9308] 19/5/2019 -- 03:10:04 - (util-coredump-config.c:129) <Config> (CoredumpLoadConfig) -- Core dump size set to unlimited.
  50. [9308] 19/5/2019 -- 03:10:04 - (defrag-hash.c:248) <Config> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
  51. [9308] 19/5/2019 -- 03:10:04 - (defrag-hash.c:273) <Config> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 160
  52. [9308] 19/5/2019 -- 03:10:04 - (defrag-hash.c:280) <Config> (DefragInitConfig) -- defrag memory usage: 14155616 bytes, maximum: 33554432
  53. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:399) <Config> (StreamTcpInitConfig) -- stream "prealloc-sessions": 2048 (per thread)
  54. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:418) <Config> (StreamTcpInitConfig) -- stream "memcap": 67108864
  55. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:424) <Config> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
  56. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:430) <Config> (StreamTcpInitConfig) -- stream "async-oneside": disabled
  57. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:447) <Config> (StreamTcpInitConfig) -- stream "checksum-validation": disabled
  58. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:475) <Config> (StreamTcpInitConfig) -- stream."inline": disabled
  59. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:488) <Config> (StreamTcpInitConfig) -- stream "bypass": disabled
  60. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:510) <Config> (StreamTcpInitConfig) -- stream "max-synack-queued": 5
  61. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:532) <Config> (StreamTcpInitConfig) -- stream.reassembly "memcap": 268435456
  62. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:550) <Config> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
  63. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:626) <Config> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2587
  64. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:628) <Config> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2508
  65. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp.c:640) <Config> (StreamTcpInitConfig) -- stream.reassembly.raw: enabled
  66. [9308] 19/5/2019 -- 03:10:04 - (stream-tcp-reassemble.c:373) <Config> (StreamTcpReassemblyConfig) -- stream.reassembly "segment-prealloc": 2048
  67. [9308] 19/5/2019 -- 03:10:04 - (util-logopenfile.c:476) <Info> (SCConfLogOpenGeneric) -- eve-log output device (regular) initialized: eve.json
  68. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'alert'
  69. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow'
  70. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'http'
  71. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dns'
  72. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tls'
  73. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'files'
  74. [9308] 19/5/2019 -- 03:10:04 - (output-json-file.c:370) <Config> (OutputFileLogInitSub) -- forcing magic lookup for logged files
  75. [9308] 19/5/2019 -- 03:10:04 - (util-file.c:190) <Config> (FileForceHashParseCfg) -- forcing md5 calculation for logged or stored files
  76. [9308] 19/5/2019 -- 03:10:04 - (util-file.c:199) <Config> (FileForceHashParseCfg) -- forcing sha1 calculation for logged or stored files
  77. [9308] 19/5/2019 -- 03:10:04 - (util-file.c:208) <Config> (FileForceHashParseCfg) -- forcing sha256 calculation for logged or stored files
  78. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smtp'
  79. [9308] 19/5/2019 -- 03:10:04 - (output-json-email-common.c:455) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email body
  80. [9308] 19/5/2019 -- 03:10:04 - (output-json-email-common.c:459) <Info> (OutputEmailInitConf) -- Going to log the md5 sum of email subject
  81. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ssh'
  82. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dnp3'
  83. [9308] 19/5/2019 -- 03:10:04 - (output-json-dnp3.c:392) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
  84. [9308] 19/5/2019 -- 03:10:04 - (output-json-dnp3.c:392) <Info> (OutputDNP3LogInitSub) -- DNP3 log sub-module initialized.
  85. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'nfs'
  86. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'smb'
  87. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'tftp'
  88. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'ikev2'
  89. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'krb5'
  90. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'dhcp'
  91. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'stats'
  92. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'flow'
  93. [9308] 19/5/2019 -- 03:10:04 - (runmodes.c:626) <Config> (RunModeInitializeEveOutput) -- enabling 'eve-log' module 'metadata'
  94. [9308] 19/5/2019 -- 03:10:04 - (log-pcap.c:1312) <Info> (PcapLogInitCtx) -- Using log dir /data/nsm/
  95. [9308] 19/5/2019 -- 03:10:04 - (log-pcap.c:1423) <Info> (PcapLogInitCtx) -- Selected pcap-log compression method: (null)
  96. [9308] 19/5/2019 -- 03:10:04 - (log-pcap.c:1427) <Info> (PcapLogInitCtx) -- using multi logging
  97. [9308] 19/5/2019 -- 03:10:04 - (util-logopenfile.c:476) <Info> (SCConfLogOpenGeneric) -- stats output device (regular) initialized: stats.log
  98. [9308] 19/5/2019 -- 03:10:04 - (suricata.c:2410) <Config> (SetupDelayedDetect) -- Delayed detect disabled
  99. [9308] 19/5/2019 -- 03:10:04 - (detect-engine.c:1589) <Config> (DetectEngineCtxInitReal) -- pattern matchers: MPM: hs, SPM: hs
  100. [9308] 19/5/2019 -- 03:10:04 - (detect-engine.c:1987) <Config> (DetectEngineCtxLoadConf) -- grouping: tcp-whitelist 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
  101. [9308] 19/5/2019 -- 03:10:04 - (detect-engine.c:2011) <Config> (DetectEngineCtxLoadConf) -- grouping: udp-whitelist 53, 135, 5060
  102. [9308] 19/5/2019 -- 03:10:04 - (detect-engine.c:2045) <Config> (DetectEngineCtxLoadConf) -- prefilter engines: MPM and keywords
  103. [9308] 19/5/2019 -- 03:10:04 - (reputation.c:639) <Info> (SRepInit) -- Loading reputation file: /etc/suricata/rules/scirius-iprep.list
  104. [9308] 19/5/2019 -- 03:10:04 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 2254680 bytes, maximum: 33554432
  105. [9308] 19/5/2019 -- 03:10:04 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/scirius.rules
  106. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-loader.c:247) <Config> (ProcessSigFiles) -- Loading rule file: /home/training/sigdev.rules
  107. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-loader.c:336) <Config> (SigLoadSignatures) -- No rules loaded from /home/training/sigdev.rules
  108. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-loader.c:351) <Info> (SigLoadSignatures) -- 2 rule files processed. 21144 rules successfully loaded, 0 rules failed
  109. [9308] 19/5/2019 -- 03:10:08 - (util-threshold-config.c:1126) <Info> (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found
  110. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:327) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-packet
  111. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:327) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for tcp-stream
  112. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:327) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for udp-packet
  113. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:327) <Perf> (SetupBuiltinMpm) -- using shared mpm ctx' for other-ip
  114. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_uri
  115. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_uri
  116. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_request_line
  117. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_client_body
  118. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_response_line
  119. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header
  120. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header
  121. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names
  122. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_header_names
  123. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept
  124. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_enc
  125. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_accept_lang
  126. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_referer
  127. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_connection
  128. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len
  129. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_len
  130. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type
  131. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_content_type
  132. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http.server
  133. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http.location
  134. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol
  135. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_protocol
  136. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start
  137. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_start
  138. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header
  139. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_header
  140. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_method
  141. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie
  142. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_cookie
  143. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  144. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  145. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  146. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  147. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  148. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  149. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  150. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  151. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.name
  152. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  153. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  154. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  155. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  156. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  157. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  158. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  159. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  160. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file.magic
  161. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_user_agent
  162. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_host
  163. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_raw_host
  164. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_msg
  165. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for http_stat_code
  166. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dns_query
  167. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dnp3_data
  168. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dnp3_data
  169. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls.sni
  170. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls.cert_issuer
  171. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls.cert_subject
  172. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls.cert_serial
  173. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for tls.cert_fingerprint
  174. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3.hash
  175. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ja3.string
  176. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
  177. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
  178. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
  179. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for dce_stub_data
  180. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for smb_named_pipe
  181. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for smb_share
  182. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol
  183. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_protocol
  184. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software
  185. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for ssh_software
  186. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
  187. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
  188. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
  189. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for file_data
  190. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for krb5_cname
  191. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-mpm.c:272) <Perf> (DetectMpmSetupAppMpms) -- using shared mpm ctx' for krb5_sname
  192. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405000: prefilter is on "flags"
  193. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405001: prefilter is on "flags"
  194. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405002: prefilter is on "flags"
  195. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405003: prefilter is on "flags"
  196. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405004: prefilter is on "flags"
  197. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405005: prefilter is on "flags"
  198. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405006: prefilter is on "flags"
  199. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405007: prefilter is on "flags"
  200. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405008: prefilter is on "flags"
  201. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405009: prefilter is on "flags"
  202. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405010: prefilter is on "flags"
  203. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405011: prefilter is on "flags"
  204. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405012: prefilter is on "flags"
  205. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405013: prefilter is on "flags"
  206. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405014: prefilter is on "flags"
  207. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405015: prefilter is on "flags"
  208. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405016: prefilter is on "flags"
  209. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405017: prefilter is on "flags"
  210. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405018: prefilter is on "flags"
  211. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405019: prefilter is on "flags"
  212. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405020: prefilter is on "flags"
  213. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2405021: prefilter is on "flags"
  214. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2014385: prefilter is on "flags"
  215. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2014386: prefilter is on "flow"
  216. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2008542: prefilter is on "dsize"
  217. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2013506: prefilter is on "flags"
  218. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001219: prefilter is on "flags"
  219. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002910: prefilter is on "flags"
  220. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002911: prefilter is on "flags"
  221. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2003068: prefilter is on "flags"
  222. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2010935: prefilter is on "flags"
  223. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2010936: prefilter is on "flags"
  224. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2010937: prefilter is on "flags"
  225. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2010938: prefilter is on "flags"
  226. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2010939: prefilter is on "flags"
  227. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2102523: prefilter is on "flags"
  228. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2102523: prefilter is on "flags"
  229. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001569: prefilter is on "flags"
  230. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001579: prefilter is on "flags"
  231. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001580: prefilter is on "flags"
  232. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001581: prefilter is on "flags"
  233. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001582: prefilter is on "flags"
  234. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001583: prefilter is on "flags"
  235. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2001972: prefilter is on "flags"
  236. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002992: prefilter is on "flags"
  237. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002993: prefilter is on "flags"
  238. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002994: prefilter is on "flags"
  239. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2002995: prefilter is on "flags"
  240. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1402) <Config> (SigAddressPrepareStage1) -- sid 2013479: prefilter is on "flags"
  241. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1426) <Info> (SigAddressPrepareStage1) -- 21149 signatures processed. 13 are IP-only rules, 6321 are inspecting packet payload, 14754 inspect application layer, 0 are decoder event only
  242. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1429) <Config> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: preprocessing rules... complete
  243. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1266) <Perf> (RulesGroupByPorts) -- TCP toserver: 76 port groups, 60 unique SGH's, 16 copies
  244. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1266) <Perf> (RulesGroupByPorts) -- TCP toclient: 76 port groups, 46 unique SGH's, 30 copies
  245. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1266) <Perf> (RulesGroupByPorts) -- UDP toserver: 76 port groups, 44 unique SGH's, 32 copies
  246. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1266) <Perf> (RulesGroupByPorts) -- UDP toclient: 45 port groups, 25 unique SGH's, 20 copies
  247. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1012) <Perf> (RulesGroupByProto) -- OTHER toserver: 254 proto groups, 2 unique SGH's, 252 copies
  248. [9308] 19/5/2019 -- 03:10:08 - (detect-engine-build.c:1049) <Perf> (RulesGroupByProto) -- OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
  249. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-build.c:1801) <Perf> (SigAddressPrepareStage4) -- Unique rule groups: 177
  250. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP packet": 33
  251. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP packet": 30
  252. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver TCP stream": 33
  253. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient TCP stream": 38
  254. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toserver UDP packet": 44
  255. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "toclient UDP packet": 25
  256. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:982) <Perf> (MpmStoreReportStats) -- Builtin MPM "other IP packet": 2
  257. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_uri": 13
  258. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_uri": 1
  259. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_request_line": 1
  260. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_client_body": 5
  261. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_response_line": 1
  262. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header": 6
  263. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_header": 4
  264. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_header_names": 1
  265. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_accept": 1
  266. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_referer": 1
  267. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_len": 1
  268. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_content_type": 1
  269. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_content_type": 1
  270. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_start": 1
  271. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_raw_header": 1
  272. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_raw_header": 1
  273. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_method": 3
  274. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_cookie": 1
  275. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_cookie": 2
  276. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_user_agent": 4
  277. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver http_host": 2
  278. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient http_stat_code": 1
  279. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver dns_query": 4
  280. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver tls.sni": 2
  281. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_issuer": 2
  282. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_subject": 1
  283. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient tls.cert_serial": 1
  284. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver ssh_protocol": 1
  285. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toserver file_data": 1
  286. [9308] 19/5/2019 -- 03:10:17 - (detect-engine-mpm.c:989) <Perf> (MpmStoreReportStats) -- AppLayer MPM "toclient file_data": 7
  287. [9308] 19/5/2019 -- 03:10:23 - (tmqh-flow.c:88) <Config> (TmqhFlowPrintAutofpHandler) -- AutoFP mode using "Hash" flow load balancer
  288. [9314] 19/5/2019 -- 03:10:23 - (log-pcap.c:762) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap.
  289. [9314] 19/5/2019 -- 03:10:23 - (log-pcap.c:903) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files.
  290. [9315] 19/5/2019 -- 03:10:23 - (log-pcap.c:762) <Info> (PcapLogInitRingBuffer) -- Initializing PCAP ring buffer for /data/nsm//log.%n.%t.pcap.
  291. [9315] 19/5/2019 -- 03:10:23 - (log-pcap.c:903) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 0 files.
  292. [9308] 19/5/2019 -- 03:10:23 - (flow-manager.c:815) <Config> (FlowManagerThreadSpawn) -- using 1 flow manager threads
  293. [9308] 19/5/2019 -- 03:10:23 - (flow-manager.c:976) <Config> (FlowRecyclerThreadSpawn) -- using 1 flow recycler threads
  294. [9308] 19/5/2019 -- 03:10:23 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 3 packet processing threads, 4 management threads initialized, engine started.
  295. [9313] 19/5/2019 -- 03:10:23 - (source-pcap-file.c:176) <Info> (ReceivePcapFileLoop) -- Starting file run for ./exercises/pcaps/eod_exercise-1.pcap
  296. [9313] 19/5/2019 -- 03:10:23 - (util-checksum.c:89) <Info> (ChecksumAutoModeCheck) -- No packets with invalid checksum, assuming checksum offloading is NOT used
  297. [9313] 19/5/2019 -- 03:10:24 - (source-pcap-file-helper.c:149) <Info> (PcapFileDispatch) -- pcap file ./exercises/pcaps/eod_exercise-1.pcap end of file reached (pcap err code 0)
  298. [9308] 19/5/2019 -- 03:10:24 - (suricata.c:2843) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine.
  299. [9316] 19/5/2019 -- 03:10:24 - (flow-manager.c:794) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
  300. [9308] 19/5/2019 -- 03:10:25 - (suricata.c:1093) <Info> (SCPrintElapsedTime) -- time elapsed 1.744s
  301. [9317] 19/5/2019 -- 03:10:25 - (flow-manager.c:945) <Perf> (FlowRecycler) -- 163 flows processed
  302. [9313] 19/5/2019 -- 03:10:25 - (source-pcap-file.c:378) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 15768 packets, 13594177 bytes
  303. [9308] 19/5/2019 -- 03:10:25 - (tmqh-flow.c:216) <Perf> (TmqhOutputFlowFreeCtx) -- AutoFP - Total flow handler queues - 2
  304. [9308] 19/5/2019 -- 03:10:25 - (counters.c:849) <Info> (StatsLogSummary) -- Alerts: 100
  305. [9308] 19/5/2019 -- 03:10:25 - (ippair.c:290) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
  306. [9308] 19/5/2019 -- 03:10:25 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 2254952 bytes, maximum: 33554432
  307. suricata: host.c:309: HostShutdown: Assertion `!((h->use_cnt_sc_atomic__) > 0)' failed.
  308. ./suri.sh: line 51: 9308 Aborted (core dumped) suricata -vvv -c /etc/suricata/suricata.yaml -k none -r $1 --runmode=autofp -s /home/training/sigdev.rules
  309.  
  310. Signature Hits:
  311.  
  312.  
  313. The pcap - ./exercises/pcaps/eod_exercise-1.pcap has been processed
  314.  
  315. Moloch -- https://localhost/moloch/sessions?expression=tags%20%3D%20eod_exercise-1.pcap
  316.  
  317. Kibana SN-ALERTS -- https://localhost/app/kibana#/dashboard/SN-ALERTS
  318.  
  319. Please note that it can take 10-40 sec for the events fully populate.
  320.  
  321. training@SuricataThreatHunting:~$ ls -l
  322. total 216904
  323. drwxr-xr-x 2 training training 4096 Mar 12 22:21 Desktop
  324. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Documents
  325. drwxr-xr-x 2 training training 4096 Mar 18 22:12 Downloads
  326. -rw-r--r-- 1 training training 35147 Jul 16 2018 LICENSE
  327. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Public
  328. drwxr-xr-x 2 training training 4096 Dec 27 16:10 Videos
  329. -rw------- 1 root root 306511872 May 19 03:10 core
  330. -rw-r--r-- 1 root root 1899324 May 19 03:10 eve.json
  331. drwxr-xr-x 7 training training 4096 Mar 21 20:39 exercises
  332. -rwxr-xr-x 1 training training 705 Dec 27 20:59 reset_dashboards.sh
  333. -rw-r--r-- 1 training training 544 Feb 9 21:13 sigdev.rules
  334. drwxr-xr-x 2 training training 4096 Apr 10 22:15 slides
  335. -rw-r--r-- 1 root root 4139 May 19 03:10 stats.log
  336. -rwxr-xr-x 1 training training 2461 May 19 03:00 suri.sh
  337. drwxr-xr-x 2 root root 4096 May 17 08:38 vmexportprep
  338. training@SuricataThreatHunting:~$ ls -l /var/log/suricata/
  339. total 24
  340. drwxr-xr-x 2 logstash logstash 4096 Dec 16 21:15 StatsByDate
  341. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 certs
  342. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 core
  343. -rw-r--r-- 1 root root 1 May 19 03:09 eve.json
  344. drwxr-xr-x 2 logstash logstash 4096 Dec 13 16:36 files
  345. -rw-r--r-- 1 root root 3699 May 19 03:10 suricata.log
  346. training@SuricataThreatHunting:~$
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!