aboutsummaryrefslogtreecommitdiff
path: root/test/results/default/trickbot.pcap.out
blob: ca4bcb927c4d9cc188706f4fad32acfdf6560990 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

00564{"daemon_event_id":1,"daemon_event_name":"init","thread_id":0,"packet_id":0,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4834-92507c0","max-flows-per-thread":2048,"max-idle-flows-per-thread":64,"reader-thread-count":1,"flow-scan-interval":10000000,"generic-max-idle-time":600000000,"icmp-max-idle-time":120000000,"udp-max-idle-time":180000000,"tcp-max-idle-time":7560000000,"max-packets-per-flow-to-send":5,"max-packets-per-flow-to-process":32,"max-packets-per-flow-to-analyse":32,"global_ts_usec":0}
00788{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4834-92507c0","packets-captured":1,"packets-processed":0,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":0,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":2,"global_ts_usec":1609266107551500}
00776{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107551500,"flow_dst_last_pkt_time":1609266107551500,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609266107551500,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5}
00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1609266107551500,"flow_dst_last_pkt_time":1609266107551500,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1609266107551500,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0c9FAAIAGK0cKDB1lUnbhxO+GG6gSdtdWAAAAAIAC\/\/8eaQAAAgQFtAEDAwgBAQQC"}
00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1609266107551500,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1609266107797175,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsYEQAAIAGftxSduHECgwdZRuo74Zi7VJcEnbXV2AS+vCXMwAAAgQFtA=="}
00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1609266107797418,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1609266107797418,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoc9JAAIAGK1IKDB1lUnbhxO+GG6gSdtdXYu1SXVAQ\/\/+p4QAA"}
00998{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":4,"flow_src_last_pkt_time":1609266107797621,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":403,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":403,"pkt_l4_len":369,"thread_ts_usec":1609266107797621,"pkt":"IOUqtpPxAAgCHEeuCABFAAGFc9NAAIAGKfQKDB1lUnbhxO+GG6gSdtdXYu1SXVAY\/\/9PNwAAUE9TVCAvT0syMXBxSkF0eXlHQkVvMDBzayBIVFRQLzEuMQ0KUmVmZXJlcjogaHR0cDovLzgyLjExOC4yMjUuMTk2L09LMjFwcUpBdHl5R0JFbzAwc2sNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpETlQ6IDENClVzZXItQWdlbnQ6IE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCAxMC4wOyBXT1c2NDsgVHJpZGVudC83LjA7IC5ORVQ0LjBDOyAuTkVUNC4wRSkNCkhvc3Q6IDgyLjExOC4yMjUuMTk2OjcwODANCkNvbnRlbnQtTGVuZ3RoOiA5MjgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQoNCg=="}
01490{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797621,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":349,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":349,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609266107797621,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}}
01770{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":5,"flow_src_last_pkt_time":1609266107797702,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":7580000000,"pkt_datalink":1,"pkt_caplen":982,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":982,"pkt_l4_len":948,"thread_ts_usec":1609266107797702,"pkt":"IOUqtpPxAAgCHEeuCABFAAPIc9RAAIAGJ7AKDB1lUnbhxO+GG6gSdti0Yu1SXVAY\/\/9JYwAAT0syMXBxSkF0eXlHQkVvMDBzaz1VNnlLdXljcHlydFdTZmZzSVQ5Z0hhdDNpV0Jlb0NsSkM2MjdZZUlKdk5aOHcwVjE5VEhaNUxvamNjeVBuJTJCT0phVHlOOWJMZ0tKJTJGdWpKUmxlNk40MWpxdVdYQmR1emNzRFJEUDNlbzJlaVI3NGZPVWU5TEloJTJGbWFPQlZQJTJCMVBtJTJCM0xRVHFwJTJCJTJCdUZlbDdrTnQlMkZLbHIxWDEzNFZxQmZGaXZDTVBLRGxpNjZEVmRPUWRadzZBVGtMdmM0VFVpRWJDS0tUUGNkYUxFdkdHWjNDWmNBVEt1bkZaUElVVU1LREFHWVJ0NFd6diUyRjB3VWd6UmNKclpYcHBGampwWCUyRm01SVZnY2hSRyUyRjhvYTVlQ2U2ODBCZkFldVlzZzczc2J5R2IySGc2aUJCUnJ2bSUyQmxIQm1QY0hhdGRCSWZiU01TM1pNdGtoOVVTYjZSVDlXUHNQaGtqNzlHVHBIU3JRdnY3NmVHNFdFb1JlV0thQ2o5clA2Z2Y5RndyVmVtTTVZRVBHVHFpQzZqdFFGa1lwRFFORG1iemZHdyUyRmxlUlVLQ09DMCUyQnF6SENkR2VSTHd2U29CeTVvenpPODhvdXBIeHE2dkZJb1BMQjY1M0NrRGlPa0FnUFZvZms1eVhmY1NzeVFseHlVSW56OUlPdVUlMkI1UW1pSjQlMkZpWkxwNDRmZWRrWiUyRkhLWCUyRnRpMTJnNG0lMkJxVkN4aEVNUWx3WE1XMSUyRnEzMTZ3NVY2V0YlMkJ3emEwbkx3anlKVWVFSmw0WjlPOSUyQlBaY1d1Q2ZJMCUyRldHQ1ZCQmxteVJrV0Y4ekJmeWJreEZjTDNaWVBpT25mdWQycVZsM0hLdkFyMFhqdUpnZlBFR1N4QkpOaE9DWjlaNTglMkJtNjN4UElYU3JtOEpuYThjNTdPZjUlMkJOeG5CbjU4a1hXTGxwcVJpckRPY0U0V0E0bjdJbzBFampEYjIwNmFmZmlkSzdIVUE1MFBYdmcxTlJHUDk0VFh5aWFNNDc0akZmRG0yQW9yRlBxdnElMkJEbWhsVTM4RENodTY3ZWpBU1ZZbWNyZkdZZjdZMEkzNVB2U2x2Y1N1SCUyQmNqJTJCYiUyQiUyRiUyQk9OJTJCakJ0alVTY0szbGU0TXNrVVFRaWwwSFd3VjEzQ3ptNlJiZyUzRCUzRA=="}
01623{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797702,"flow_dst_last_pkt_time":1609266108728827,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1358,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":1358,"midstream":0,"thread_ts_usec":1609266108728827,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}},"25": {"risk":"HTTP Susp Content","severity":"High","risk_score": {"total":310,"client":215,"server":95}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":200,"content_type":"text\/html","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}}
02558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"data_analysis": {"iat": {"min":6,"avg":156585.2,"max":931328,"stddev":258444.3,"var":66793451520.0,"ent":3.3,"data": [245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14]},"pktlen": {"min":40,"avg":930.0,"max":1500,"stddev":662.5,"var":438885.5,"ent":4.5,"data": [52,44,40,389,968,40,40,1398,40,1398,40,1500,1323,40,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,276,40,1398,40,1500,1500,1194]},"bins": {"c_to_s": [7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1],"entropies": [4.776611805,4.925117970,4.762815475,5.824206829,6.033888340,4.784183979,4.834183693,7.786707878,4.931687355,7.831421852,4.931687355,7.870709896,7.856476307,4.931687355,7.869441509,7.864507675,7.865448475,7.873723507,7.871662140,7.892165661,7.878643513,7.860257149,7.887190342,7.870031357,7.873756886,7.255901337,4.931687355,7.870108604,4.931687355,7.875472546,7.873021603,7.864452362]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}},"25": {"risk":"HTTP Susp Content","severity":"High","risk_score": {"total":310,"client":215,"server":95}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196"}}
01363{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":74,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":46,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266115947454,"flow_dst_last_pkt_time":1609266115947521,"flow_idle_time":7580000000,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":56713,"midstream":0,"thread_ts_usec":1609266115947521,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":5,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":160,"client":140,"server":20}},"12": {"risk":"HTTP\/TLS\/QUIC Numeric Hostname\/SNI","severity":"Low","risk_score": {"total":300,"client":270,"server":30}},"25": {"risk":"HTTP Susp Content","severity":"High","risk_score": {"total":310,"client":215,"server":95}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","proto_by_ip":"Unknown","proto_by_ip_id":0,"encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196"}}
00798{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":74,"source":"cfgs\/default\/pcap\/trickbot.pcap","alias":"nDPId-test","version":"1.7.0","ndpi_version":"4.11.0-4834-92507c0","packets-captured":74,"packets-processed":74,"pfring_active":false,"pfring_recv":0,"pfring_drop":0,"pfring_shunt":0,"total-skipped-flows":0,"total-l4-payload-len":57990,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"global-alloc-count":0,"global-free-count":0,"global-alloc-bytes":0,"global-free-bytes":0,"total-events-serialized":13,"global_ts_usec":1609266115947521}
~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~
~~ packets captured/processed: 74/74
~~ skipped flows.............: 0
~~ total layer4 data length..: 57990 bytes
~~ total detected protocols..: 1
~~ total active/idle flows...: 1/1
~~ total timeout flows.......: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ total memory allocated....: 6644030 bytes
~~ total memory freed........: 6644030 bytes
~~ total allocations/frees...: 114102/114102
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ json message min len.......: 532 chars
~~ json message max len.......: 2563 chars
~~ json message avg len.......: 1488 chars
Powered by cgit, Themed by Ted Yin.