1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
DAEMON-EVENT: init
DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0]
DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
new: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587]
detected: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Unknown][Email][Acceptable][opmta1mto02nd1]
analyse: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Unknown][Email][Acceptable]
min| max| avg| stddev| variance| entropy
[IAT.........: 0.000| 3.056| 0.539| 0.774| 599161.176| 3.700]
[PKTLEN......: 40.000| 738.000| 80.800| 121.900| 14849.500| 4.300]
[BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]
[IATS(ms)....: 749.5,749.7,1106.3,1106.8,0.8,369.8,370.6,0.9,325.6,326.2,0.5,0.3,0.7,841.2,842.4,0.9,0.4,0.4,3054.7,3056.4,1.6,247.2,247.8,0.5,1205.1,1205.6,0.4,443.0,443.6,0.7,0.3]
[PKTLENS.....: 52,44,40,94,61,40,200,52,40,58,72,40,42,40,58,56,40,42,40,80,77,40,86,73,40,87,46,40,48,79,40,738]
[ENTROPIES...: 4.6,5.0,5.0,5.5,5.4,4.8,5.7,5.4,4.8,5.5,5.7,4.8,5.0,4.7,5.3,5.4,4.8,4.9,4.8,5.3,5.6,4.8,5.4,5.6,4.8,5.5,5.1,4.8,5.1,5.3,4.8,5.6]
DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0]
DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
new: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80]
detected: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Unknown][Web][Acceptable][fkl.co.ke]
analyse: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Unknown][Web][Acceptable]
min| max| avg| stddev| variance| entropy
[IAT.........: 0.000| 0.204| 0.029| 0.060| 3581.477| 2.700]
[PKTLEN......: 40.000| 1401.000| 820.000| 663.100| 439751.800| 4.400]
[BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]
[DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
[IATS(ms)....: 115.8,115.9,0.3,0.5,204.2,0.1,204.4,0.4,0.2,0.6,0.2,0.2,0.4,0.2,0.5,0.7,0.2,0.2,0.5,115.0,0.2,115.3,0.3,0.3,0.6,9.2,0.2,9.5,0.5,0.2,0.7]
[PKTLENS.....: 52,44,40,486,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40]
[ENTROPIES...: 4.7,4.9,4.7,5.8,4.6,7.4,7.7,4.7,7.8,7.8,4.7,7.8,7.9,4.7,7.8,7.9,4.8,7.8,7.9,4.7,7.9,7.8,4.8,7.9,7.9,4.8,7.9,7.8,4.7,7.8,7.8,4.8]
end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Unknown][Email][Acceptable]
DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0]
DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
new: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80]
detected: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Web][Acceptable][gandhitoday.org]
detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Download][Acceptable][gandhitoday.org]
RISK: Binary App Transfer
analyse: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Download][Acceptable]
min| max| avg| stddev| variance| entropy
[IAT.........: 0.000| 0.261| 0.031| 0.066| 4320.020| 3.000]
[PKTLEN......: 46.000| 1428.000| 657.700| 680.400| 462891.900| 4.100]
[BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
[DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]
[IATS(ms)....: 97.3,97.5,0.4,260.9,260.4,3.2,3.2,9.5,9.5,6.2,0.1,6.3,0.1,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.0,2.6,2.7,60.6,60.7,9.9,9.8,15.1,15.1,12.9,12.9]
[PKTLENS.....: 52,48,46,265,1428,46,1428,46,1428,46,1428,1428,46,1428,46,1428,46,1428,46,1428,46,46,1428,46,1428,46,1428,46,1428,46,1428,46]
[ENTROPIES...: 4.6,5.0,4.3,5.7,4.8,4.4,5.5,4.3,6.0,4.3,6.0,6.2,4.3,5.9,4.4,4.4,4.4,4.5,4.3,4.5,4.4,4.4,4.6,4.4,4.5,4.4,4.5,4.3,4.6,4.3,4.6,4.4]
end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Unknown][Web][Acceptable]
DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0]
DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0]
new: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80]
detected: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Web][Acceptable][filmmogzivota.rs]
RISK: HTTP Susp User-Agent
detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Download][Acceptable][filmmogzivota.rs]
RISK: Binary App Transfer, HTTP Susp User-Agent
analyse: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Download][Acceptable]
min| max| avg| stddev| variance| entropy
[IAT.........: 0.000| 0.292| 0.042| 0.080| 6342.811| 2.900]
[PKTLEN......: 46.000| 1428.000| 878.900| 652.600| 425943.000| 4.500]
[BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]
[DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]
[IATS(ms)....: 184.2,184.5,0.2,171.8,120.6,0.1,0.1,292.2,2.7,0.1,0.1,0.1,2.9,2.7,0.1,0.1,3.0,164.7,0.1,0.1,164.8,2.8,0.1,0.1,3.0,2.9,0.1,0.1,0.2,3.2,0.1]
[PKTLENS.....: 52,52,46,192,46,612,1428,1428,46,1428,1428,1428,1100,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,1428,46,46]
[ENTROPIES...: 4.7,4.8,4.5,5.7,4.4,5.6,4.0,5.1,4.5,5.1,5.0,5.3,5.5,4.5,5.1,5.2,5.5,4.5,5.2,5.1,5.3,4.5,5.4,5.1,5.1,4.4,5.2,5.4,5.4,4.9,4.5,4.4]
end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Unknown][Download][Acceptable]
RISK: Binary App Transfer
new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443]
detected: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][]
RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][]
RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
analyse: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe]
min| max| avg| stddev| variance| entropy
[IAT.........: 0.000| 1.263| 0.113| 0.288| 82863.079| 2.700]
[PKTLEN......: 46.000| 1428.000| 682.000| 663.200| 439900.200| 4.200]
[BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
[BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
[DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]
[IATS(ms)....: 109.4,109.6,14.1,123.8,13.2,122.9,52.7,132.9,80.3,6.5,151.9,1117.1,0.1,0.2,1262.5,0.1,2.9,0.1,3.1,96.9,0.1,96.9,3.1,0.1,0.2,0.1,3.3,0.0,0.1,2.9,0.1]
[PKTLENS.....: 52,52,46,189,46,1418,46,133,282,46,520,46,1428,1428,1428,46,46,1428,1428,52,1428,1428,60,1428,1428,1428,1428,60,60,60,1428,1428]
[ENTROPIES...: 4.7,4.9,4.5,5.4,4.6,7.5,4.6,5.9,7.1,4.5,7.5,4.5,7.9,7.9,7.9,4.5,4.5,7.9,7.9,5.0,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,5.1,5.1,7.8,7.9]
detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][]
RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443]
detected: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][]
RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
detection-update: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe][]
RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
end: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Unknown][Download][Acceptable]
RISK: Binary App Transfer, HTTP Susp User-Agent
end: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe]
RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
end: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Unknown][Web][Safe]
RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
DAEMON-EVENT: shutdown
|