test/results/flow-info/emotet.pcap.out


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

     DAEMON-EVENT: init
     DAEMON-EVENT: [Processed: 0 pkts][ZLib][compressions: 0|diff: 0 / 0]
     DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
              new: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] 
         detected: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
          analyse: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
                   [min|max|avg|stddev]
                   [IAT(flow)...:    0.000|   3.056|   0.539|   0.774]
                   [IAT(c->s)...:    0.000|   3.056|   0.696|   0.816][IAT(s->c)...:    0.000|   3.055|   0.439|   0.729]
                   [PKTLEN(c->s):   54.000| 752.000| 124.000| 181.800][PKTLEN(s->c):   54.000| 214.000|  74.800|  37.700]
                   [BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                   [BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
     DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0]
     DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
              new: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] 
         detected: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
          analyse: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
                   [min|max|avg|stddev]
                   [IAT(flow)...:    0.000|   0.204|   0.029|   0.060]
                   [IAT(c->s)...:    0.000|   0.204|   0.041|   0.068][IAT(s->c)...:    0.000|   0.204|   0.022|   0.054]
                   [PKTLEN(c->s):   54.000| 500.000|  92.200| 123.000][PKTLEN(s->c):   54.000|1415.000|1279.100| 407.700]
                   [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                   [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]
              end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
     DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0]
     DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
              new: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] 
         detected: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
 detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                   RISK: Binary App Transfer
          analyse: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                   [min|max|avg|stddev]
                   [IAT(flow)...:    0.000|   0.261|   0.031|   0.066]
                   [IAT(c->s)...:    0.000|   0.260|   0.030|   0.065][IAT(s->c)...:    0.000|   0.261|   0.032|   0.067]
                   [PKTLEN(c->s):   60.000| 279.000|  73.200|  51.500][PKTLEN(s->c):   62.000|1442.000|1350.000| 344.200]
                   [BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                   [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
              end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
     DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0]
     DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0]
              new: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] 
         detected: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Web][Acceptable]
                   RISK: HTTP Suspicious User-Agent
 detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable]
                   RISK: Binary App Transfer, HTTP Suspicious User-Agent
          analyse: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable]
                   [min|max|avg|stddev]
                   [IAT(flow)...:    0.000|   0.292|   0.042|   0.080]
                   [IAT(c->s)...:    0.000|   0.292|   0.073|   0.105][IAT(s->c)...:    0.000|   0.184|   0.030|   0.062]
                   [PKTLEN(c->s):   60.000| 206.000|  75.200|  43.600][PKTLEN(s->c):   60.000|1442.000|1264.600| 420.200]
                   [BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                   [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]
              end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                   RISK: Binary App Transfer
              new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] 
         detected: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
 detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
          analyse: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] 
                   [min|max|avg|stddev]
                   [IAT(flow)...:    0.000|   1.263|   0.117|   0.292]
                   [IAT(c->s)...:    0.000|   1.263|   0.146|   0.340][IAT(s->c)...:    0.000|   1.117|   0.097|   0.253]
                   [PKTLEN(c->s):   60.000| 534.000| 115.100| 122.800][PKTLEN(s->c):   60.000|1442.000|1147.800| 551.200]
                   [BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                   [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
 detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
              new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] 
         detected: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
 detection-update: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
              end: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable]
                   RISK: Binary App Transfer, HTTP Suspicious User-Agent
              end: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
              end: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] [TLS][Web][Safe]
                   RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
     DAEMON-EVENT: shutdown