suricata 0.2.1 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +54 -2
- data/exe/surilizer.rb +32 -0
- data/lib/suricata/fast.rb +4 -0
- data/lib/suricata/logfile.rb +10 -1
- data/lib/suricata/surilizer.rb +120 -0
- data/lib/suricata/version.rb +1 -1
- data/lib/suricata.rb +1 -0
- data/misc/fast.log.1 +151 -0
- data/misc/fast.log.2.gz +0 -0
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 23facf078e973ea4a2a3f829ac363ab7a04ffe68
|
4
|
+
data.tar.gz: 37b07b5b458de9354fe3207e8c1d632ba2e1a802
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 07b2718ec993525bfb416686758af07a9df748550e334549c7175ec6d2d5ed8d8e1e27f737cccd61aa7996b6ed84945dfed1369407f58c8499856ba46e3a87a4
|
7
|
+
data.tar.gz: 9e4d48806d18f31b4470416e186295b9873b4111aa2ab47822c1039fa1c251baaad5b794052af67fafbbf2f32649f938eaca8727932131cfef61bc3d2bb77f02
|
data/README.md
CHANGED
@@ -31,7 +31,7 @@ Or install it yourself as:
|
|
31
31
|
This gem comes with a Nagios-plugin to search suricata's fast-logfile for specific strings in the threat-description.
|
32
32
|
|
33
33
|
```
|
34
|
-
Usage: check_suricata
|
34
|
+
Usage: check_suricata [ -a alertfile ] [ -w whitelistfile ] -e searchstring
|
35
35
|
-h, --help This help screen
|
36
36
|
-a, --alertfile ALERTFILE alertfile(default: /var/log/suricata/fast.log)
|
37
37
|
-w, --whitelist WHITELISTFILE whitelistfile
|
@@ -42,7 +42,7 @@ Usage: check_suricata.rb [ -a alertfile ] [ -w whitelistfile ] -e searchstring
|
|
42
42
|
|
43
43
|
It is possible to interactively acknowlege search hits so that they will not occur on the next search:
|
44
44
|
```
|
45
|
-
check_suricata
|
45
|
+
check_suricata -i -e "ET CHAT"
|
46
46
|
Acknowlege the following entry:
|
47
47
|
10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
|
48
48
|
Acknowlege(y|n): y
|
@@ -51,6 +51,58 @@ Acknowlege the following entry:
|
|
51
51
|
Acknowlege(y|n): n
|
52
52
|
```
|
53
53
|
|
54
|
+
### Logfile Analyzer
|
55
|
+
|
56
|
+
This gem comes with a logfile analyzer for suricata's fast.log. It's very easy to use and meant for using as a daily cronjob
|
57
|
+
```
|
58
|
+
Usage: surilizer.rb <fast.log | fast.log* | fast.log fast.2.log fast.3.log.gz >
|
59
|
+
|
60
|
+
surilizer.rb misc/fast.log
|
61
|
+
|
62
|
+
======== Suricata Log Analysis ========
|
63
|
+
Events: 11
|
64
|
+
Unique Sources: 3
|
65
|
+
Unique Events: 6
|
66
|
+
|
67
|
+
======== Unique Events =========
|
68
|
+
|
69
|
+
PRIORITY | DESCRIPTION
|
70
|
+
1 | ET POLICY Cleartext WordPress Login
|
71
|
+
1 | ET POLICY Http Client Body contains pwd= in cleartext
|
72
|
+
1 | ET CHAT Skype VOIP Checking Version (Startup)
|
73
|
+
2 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339
|
74
|
+
3 | GPL CHAT Jabber/Google Talk Outgoing Traffic
|
75
|
+
3 | SURICATA TCPv4 invalid checksum
|
76
|
+
|
77
|
+
======== Eventy by source ========
|
78
|
+
Source: 192.168.0.1
|
79
|
+
-> 8.8.8.8
|
80
|
+
1 x ET POLICY Cleartext WordPress Login Prio: 1
|
81
|
+
-> 8.8.8.1
|
82
|
+
1 x ET POLICY Http Client Body contains pwd= in cleartext Prio: 1
|
83
|
+
-> 4.3.2.1
|
84
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
85
|
+
-> 15.14.13.12
|
86
|
+
1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1
|
87
|
+
-> 8.4.3.7
|
88
|
+
1 x GPL CHAT Jabber/Google Talk Outgoing Traffic Prio: 3
|
89
|
+
-> 1.2.3.22
|
90
|
+
2 x SURICATA TCPv4 invalid checksum Prio: 3
|
91
|
+
-> 100.254.198.10
|
92
|
+
1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1
|
93
|
+
|
94
|
+
Source: 212.69.166.153
|
95
|
+
-> 1.2.3.4
|
96
|
+
1 x ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339 Prio: 2
|
97
|
+
|
98
|
+
Source: 10.12.32.6
|
99
|
+
-> 42.42.42.42
|
100
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
101
|
+
-> 9.1.2.1
|
102
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
103
|
+
|
104
|
+
```
|
105
|
+
|
54
106
|
## Documentation
|
55
107
|
|
56
108
|
[rubydoc.info](http://www.rubydoc.info/github/whotwagner/suricata/master)
|
data/exe/surilizer.rb
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'bundler/setup'
|
4
|
+
require 'suricata/surilizer'
|
5
|
+
|
6
|
+
def usage(prognam)
|
7
|
+
puts "Usage: #{prognam} <fast.log | fast.log.gz | fast.log fast.log.1.gz fast.log2.gz fast3.log>"
|
8
|
+
exit 0
|
9
|
+
end
|
10
|
+
|
11
|
+
begin
|
12
|
+
usage($PROGRAM_NAME) if ARGV.length == 0
|
13
|
+
surilizer = Suricata::Surilizer.new()
|
14
|
+
|
15
|
+
ARGV.each do |f|
|
16
|
+
if f =~ /.*.gz$/
|
17
|
+
Zlib::GzipReader.open(f) {|gz|
|
18
|
+
surilizer.logfile = Suricata::Logfile.new(nil,false,gz)
|
19
|
+
surilizer.analyze
|
20
|
+
surilizer.logfile.close
|
21
|
+
}
|
22
|
+
else
|
23
|
+
surilizer.logfile = Suricata::Logfile.new(f)
|
24
|
+
surilizer.analyze
|
25
|
+
surilizer.logfile.close
|
26
|
+
end
|
27
|
+
end
|
28
|
+
surilizer.result
|
29
|
+
rescue Errno::ENOENT => e
|
30
|
+
puts "#{e.message}\n"
|
31
|
+
exit 1
|
32
|
+
end
|
data/lib/suricata/fast.rb
CHANGED
data/lib/suricata/logfile.rb
CHANGED
@@ -41,12 +41,14 @@ attr_reader :file, :line
|
|
41
41
|
# constructor
|
42
42
|
# @param [String] logfile path and filename of the logfile
|
43
43
|
# @param [Boolean] autoopen calls open if true(default: true)
|
44
|
-
def initialize(logfile,autoopen=true)
|
44
|
+
def initialize(logfile,autoopen=true,file=nil)
|
45
45
|
@logfile = logfile
|
46
46
|
@parser = Suricata::Fast.new
|
47
47
|
|
48
48
|
if autoopen == true
|
49
49
|
open
|
50
|
+
else
|
51
|
+
@file = file if not file.nil?
|
50
52
|
end
|
51
53
|
end
|
52
54
|
|
@@ -89,6 +91,13 @@ def readline_parse
|
|
89
91
|
end
|
90
92
|
|
91
93
|
# this method reads a line of the logfile
|
94
|
+
#
|
95
|
+
# @example readline with a block
|
96
|
+
# log = Suricata::Logfile.new("misc/fast.log")
|
97
|
+
# log.readline do |n|
|
98
|
+
# puts n
|
99
|
+
# end
|
100
|
+
#
|
92
101
|
# @return [String] line current logfile entry
|
93
102
|
# @return [Boolean] false when EOF reached
|
94
103
|
# @yieldparam [String] @line current logfile entry
|
@@ -0,0 +1,120 @@
|
|
1
|
+
module Suricata
|
2
|
+
|
3
|
+
require 'suricata/logfile'
|
4
|
+
|
5
|
+
class Counter
|
6
|
+
attr_reader :count
|
7
|
+
|
8
|
+
def initialize(start=0)
|
9
|
+
@count = start
|
10
|
+
end
|
11
|
+
|
12
|
+
def increase
|
13
|
+
@count += 1
|
14
|
+
end
|
15
|
+
|
16
|
+
def to_s
|
17
|
+
"#{@count}"
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
|
22
|
+
|
23
|
+
#
|
24
|
+
# [src-ip][counter]
|
25
|
+
# [src-ip][dst]
|
26
|
+
# [src-ip][dst][counter]
|
27
|
+
# [src-ip][dst][desc][counter]
|
28
|
+
class Surilizer
|
29
|
+
|
30
|
+
attr_accessor :logfile
|
31
|
+
attr_reader :src, :lines
|
32
|
+
|
33
|
+
def initialize(file = nil)
|
34
|
+
|
35
|
+
@logfile = Suricata::Logfile.new(file) if not file.nil?
|
36
|
+
@src = Hash.new
|
37
|
+
@dst = Hash.new
|
38
|
+
@lines = Counter.new
|
39
|
+
end
|
40
|
+
|
41
|
+
|
42
|
+
|
43
|
+
def analyze()
|
44
|
+
@logfile.readline_parse do |entry|
|
45
|
+
@lines.increase
|
46
|
+
addCounter(@src,entry.conn.src)
|
47
|
+
addEntry(@src[entry.conn.src],'dst',Hash)
|
48
|
+
addCounter(@src[entry.conn.src]['dst'],entry.conn.dst)
|
49
|
+
addEntry(@src[entry.conn.src]['dst'][entry.conn.dst],'desc',Hash)
|
50
|
+
addCounter(@src[entry.conn.src]['dst'][entry.conn.dst]['desc'],entry.description)
|
51
|
+
@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['prio'] = entry.priority
|
52
|
+
@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['class'] = entry.classification
|
53
|
+
end
|
54
|
+
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
def getUniqEvents
|
59
|
+
a = Array.new
|
60
|
+
@src.each do |key,val|
|
61
|
+
val['dst'].each do |keya,vala|
|
62
|
+
val['dst'][keya]['desc'].each do |keyb,valb|
|
63
|
+
a.push([keyb,val['dst'][keya]['desc'][keyb]['prio']])
|
64
|
+
end
|
65
|
+
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
return a.uniq
|
70
|
+
end
|
71
|
+
|
72
|
+
def result
|
73
|
+
events = getUniqEvents
|
74
|
+
puts "======== Suricata Log Analysis ========"
|
75
|
+
puts "Events: #{@lines}"
|
76
|
+
puts "Unique Sources: #{@src.length}"
|
77
|
+
puts "Unique Events: #{events.length}"
|
78
|
+
puts "\n"
|
79
|
+
puts "======== Unique Events ========="
|
80
|
+
puts "\n"
|
81
|
+
puts "PRIORITY\t| DESCRIPTION "
|
82
|
+
events.sort{ |x,y| x[1] <=> y[1]}.each do |e|
|
83
|
+
puts "#{e[1]}\t\t| #{e[0]}"
|
84
|
+
end
|
85
|
+
puts "\n"
|
86
|
+
|
87
|
+
puts "======== Eventy by source ========"
|
88
|
+
@src.each do |key,val|
|
89
|
+
puts "Source: #{key}"
|
90
|
+
val['dst'].each do |keya,vala|
|
91
|
+
puts "\t-> #{keya}\n"
|
92
|
+
val['dst'][keya]['desc'].each do |keyb,valb|
|
93
|
+
puts "\t\t#{valb['counter'].count} x #{keyb} Prio: #{valb['prio']}\n"
|
94
|
+
end
|
95
|
+
|
96
|
+
end
|
97
|
+
puts ""
|
98
|
+
end
|
99
|
+
|
100
|
+
end
|
101
|
+
|
102
|
+
private
|
103
|
+
def addCounter(val,entry)
|
104
|
+
if not val.key?(entry)
|
105
|
+
val[entry] = Hash.new
|
106
|
+
val[entry]['counter'] = Counter.new(1)
|
107
|
+
else
|
108
|
+
val[entry]['counter'].increase
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
def addEntry(val,entry,type)
|
113
|
+
if not val.key?(entry)
|
114
|
+
val[entry] = type.new
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
118
|
+
end
|
119
|
+
|
120
|
+
end
|
data/lib/suricata/version.rb
CHANGED
data/lib/suricata.rb
CHANGED
data/misc/fast.log.1
ADDED
@@ -0,0 +1,151 @@
|
|
1
|
+
10/06/2016-07:14:39.186933 [**] [1:2500034:4093] ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 183.129.160.229:16192 -> 192.168.0.5:80
|
2
|
+
10/06/2016-09:44:22.405503 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:61214 -> 213.185.164.216:80
|
3
|
+
10/06/2016-09:59:15.555306 [**] [1:2019401:14] ET POLICY Vulnerable Java Version 1.8.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.27:49286 -> 23.37.43.27:80
|
4
|
+
10/06/2016-09:59:15.647027 [**] [1:2019401:14] ET POLICY Vulnerable Java Version 1.8.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.27:49288 -> 23.37.43.27:80
|
5
|
+
10/06/2016-10:00:47.457385 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:59845 -> 172.217.21.98:443
|
6
|
+
10/06/2016-10:00:47.458093 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.217.21.98:443 -> 192.168.0.13:59845
|
7
|
+
10/06/2016-10:00:47.518407 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:59847 -> 185.33.220.5:443
|
8
|
+
10/06/2016-10:00:47.518947 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 185.33.220.5:443 -> 192.168.0.13:59847
|
9
|
+
10/06/2016-10:01:22.040337 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49760 -> 195.182.26.70:443
|
10
|
+
10/06/2016-10:01:22.092234 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49760
|
11
|
+
10/06/2016-10:01:22.984315 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49762 -> 195.182.26.70:443
|
12
|
+
10/06/2016-10:01:23.032643 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49762
|
13
|
+
10/06/2016-10:01:23.500111 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49764 -> 195.182.26.70:443
|
14
|
+
10/06/2016-10:01:23.547588 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49764
|
15
|
+
10/06/2016-10:01:23.777248 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49766 -> 195.182.26.70:443
|
16
|
+
10/06/2016-10:01:23.826879 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49766
|
17
|
+
10/06/2016-10:01:25.072561 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49768 -> 195.182.26.70:443
|
18
|
+
10/06/2016-10:01:25.122716 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49768
|
19
|
+
10/06/2016-10:01:39.295768 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49774 -> 195.182.26.70:443
|
20
|
+
10/06/2016-10:01:39.343762 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49774
|
21
|
+
10/06/2016-10:01:43.694306 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49776 -> 195.182.26.70:443
|
22
|
+
10/06/2016-10:01:43.743578 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49776
|
23
|
+
10/06/2016-10:01:46.065983 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49779 -> 195.182.26.70:443
|
24
|
+
10/06/2016-10:01:46.115559 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49779
|
25
|
+
10/06/2016-10:44:22.352988 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:62401 -> 213.185.164.216:80
|
26
|
+
10/06/2016-11:24:34.439602 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50361 -> 195.182.26.70:443
|
27
|
+
10/06/2016-11:24:34.490234 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50361
|
28
|
+
10/06/2016-11:24:34.952874 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50363 -> 195.182.26.70:443
|
29
|
+
10/06/2016-11:24:35.003259 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50363
|
30
|
+
10/06/2016-11:24:35.398791 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50365 -> 195.182.26.70:443
|
31
|
+
10/06/2016-11:24:35.688142 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50367 -> 195.182.26.70:443
|
32
|
+
10/06/2016-11:24:35.454109 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50365
|
33
|
+
10/06/2016-11:24:35.739529 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50367
|
34
|
+
10/06/2016-11:24:41.738544 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50369 -> 195.182.26.70:443
|
35
|
+
10/06/2016-11:24:41.787304 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50369
|
36
|
+
10/06/2016-11:24:44.080325 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50372 -> 195.182.26.70:443
|
37
|
+
10/06/2016-11:24:44.130042 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50372
|
38
|
+
10/06/2016-11:24:44.809038 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50374 -> 195.182.26.70:443
|
39
|
+
10/06/2016-11:24:44.856946 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50374
|
40
|
+
10/06/2016-11:25:39.392733 [**] [1:2402000:4200] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.216.43:443 -> 192.168.0.5:443
|
41
|
+
10/06/2016-11:25:39.392733 [**] [1:2403302:2973] ET CINS Active Threat Intelligence Poor Reputation IP group 3 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.216.43:443 -> 192.168.0.5:443
|
42
|
+
10/06/2016-11:33:03.671111 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50682 -> 195.182.26.70:443
|
43
|
+
10/06/2016-11:33:03.719371 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50682
|
44
|
+
10/06/2016-11:33:04.211684 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50684 -> 195.182.26.70:443
|
45
|
+
10/06/2016-11:33:04.260356 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50684
|
46
|
+
10/06/2016-11:33:04.869569 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50686 -> 195.182.26.70:443
|
47
|
+
10/06/2016-11:33:04.919184 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50686
|
48
|
+
10/06/2016-11:33:05.779465 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50688 -> 195.182.26.70:443
|
49
|
+
10/06/2016-11:33:05.790281 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50688
|
50
|
+
10/06/2016-11:33:08.934400 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50690 -> 195.182.26.70:443
|
51
|
+
10/06/2016-11:33:08.981786 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50690
|
52
|
+
10/06/2016-11:38:43.580726 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50707 -> 195.182.26.70:443
|
53
|
+
10/06/2016-11:38:43.630861 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50707
|
54
|
+
10/06/2016-11:42:45.210344 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50744 -> 195.182.26.70:443
|
55
|
+
10/06/2016-11:42:45.260877 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50744
|
56
|
+
10/06/2016-11:42:45.503674 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50746 -> 195.182.26.70:443
|
57
|
+
10/06/2016-11:42:45.554973 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50746
|
58
|
+
10/06/2016-11:42:45.813082 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50748 -> 195.182.26.70:443
|
59
|
+
10/06/2016-11:42:45.862735 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50748
|
60
|
+
10/06/2016-11:42:46.106513 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50750 -> 195.182.26.70:443
|
61
|
+
10/06/2016-11:42:46.364219 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50752 -> 195.182.26.70:443
|
62
|
+
10/06/2016-11:42:46.411981 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50752
|
63
|
+
10/06/2016-11:42:46.155033 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50750
|
64
|
+
10/06/2016-11:42:53.320067 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50756 -> 195.182.26.70:443
|
65
|
+
10/06/2016-11:42:53.370898 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50756
|
66
|
+
10/06/2016-11:42:53.711102 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50758 -> 195.182.26.70:443
|
67
|
+
10/06/2016-11:42:53.721841 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50758
|
68
|
+
10/06/2016-11:42:54.872327 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50760 -> 195.182.26.70:443
|
69
|
+
10/06/2016-11:42:54.923655 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50760
|
70
|
+
10/06/2016-11:44:22.320503 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63642 -> 213.185.164.216:80
|
71
|
+
10/06/2016-11:46:51.362738 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50798 -> 195.182.26.70:443
|
72
|
+
10/06/2016-11:46:51.412815 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50798
|
73
|
+
10/06/2016-11:54:23.928145 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63864 -> 213.185.164.216:80
|
74
|
+
10/06/2016-11:54:44.314769 [**] [1:2015561:2] ET INFO PDF Using CCITTFax Filter [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 87.106.10.40:80 -> 192.168.0.13:62018
|
75
|
+
10/06/2016-11:55:37.777647 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63876 -> 213.185.164.216:80
|
76
|
+
10/06/2016-12:42:18.524190 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50701 -> 195.182.26.70:443
|
77
|
+
10/06/2016-12:42:18.572171 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50701
|
78
|
+
10/06/2016-12:42:18.878037 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50703 -> 195.182.26.70:443
|
79
|
+
10/06/2016-12:42:18.926799 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50703
|
80
|
+
10/06/2016-12:42:19.574259 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50705 -> 195.182.26.70:443
|
81
|
+
10/06/2016-12:42:19.626434 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50705
|
82
|
+
10/06/2016-12:42:20.022120 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50707 -> 195.182.26.70:443
|
83
|
+
10/06/2016-12:42:20.072932 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50707
|
84
|
+
10/06/2016-12:42:20.339976 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50709 -> 195.182.26.70:443
|
85
|
+
10/06/2016-12:42:20.389370 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50709
|
86
|
+
10/06/2016-12:42:25.100167 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50712 -> 195.182.26.70:443
|
87
|
+
10/06/2016-12:42:25.151540 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50712
|
88
|
+
10/06/2016-12:42:27.593697 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50715 -> 195.182.26.70:443
|
89
|
+
10/06/2016-12:42:27.641473 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50715
|
90
|
+
10/06/2016-12:49:46.811236 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.17:58206 -> 136.243.54.218:443
|
91
|
+
10/06/2016-12:49:46.834430 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 136.243.54.218:443 -> 192.168.0.17:58206
|
92
|
+
10/06/2016-12:49:48.305316 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.17:58275 -> 37.252.172.70:443
|
93
|
+
10/06/2016-12:49:48.540260 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.252.172.70:443 -> 192.168.0.17:58275
|
94
|
+
10/06/2016-13:55:27.681946 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51297 -> 195.182.26.70:443
|
95
|
+
10/06/2016-13:55:27.733038 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51297
|
96
|
+
10/06/2016-13:55:28.007280 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51299 -> 195.182.26.70:443
|
97
|
+
10/06/2016-13:55:28.055659 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51299
|
98
|
+
10/06/2016-13:55:28.295711 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51301 -> 195.182.26.70:443
|
99
|
+
10/06/2016-13:55:28.342795 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51301
|
100
|
+
10/06/2016-13:55:28.579846 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51303 -> 195.182.26.70:443
|
101
|
+
10/06/2016-13:55:28.628843 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51303
|
102
|
+
10/06/2016-13:55:29.057794 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51305 -> 195.182.26.70:443
|
103
|
+
10/06/2016-13:55:29.067345 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51305
|
104
|
+
10/06/2016-13:55:30.919653 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51307 -> 195.182.26.70:443
|
105
|
+
10/06/2016-13:55:30.967892 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51307
|
106
|
+
10/06/2016-13:58:30.794280 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51339 -> 195.182.26.70:443
|
107
|
+
10/06/2016-13:58:30.843475 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51339
|
108
|
+
10/06/2016-14:14:25.524991 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51087 -> 195.182.26.70:443
|
109
|
+
10/06/2016-14:14:25.574540 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51087
|
110
|
+
10/06/2016-14:14:25.830298 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51089 -> 195.182.26.70:443
|
111
|
+
10/06/2016-14:14:25.879511 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51089
|
112
|
+
10/06/2016-14:14:26.072196 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51091 -> 195.182.26.70:443
|
113
|
+
10/06/2016-14:14:26.123644 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51091
|
114
|
+
10/06/2016-14:14:27.566537 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51093 -> 195.182.26.70:443
|
115
|
+
10/06/2016-14:14:27.614581 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51093
|
116
|
+
10/06/2016-14:26:04.796851 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 173.194.62.246:80 -> 192.168.0.22:49267
|
117
|
+
10/06/2016-15:13:43.419337 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.227.186.144:80 -> 192.168.0.12:49697
|
118
|
+
10/06/2016-15:25:42.722773 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 104.84.190.186:80 -> 192.168.0.22:49449
|
119
|
+
10/06/2016-17:06:50.928856 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:63778 -> 136.243.39.93:443
|
120
|
+
10/06/2016-17:06:50.965275 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 136.243.39.93:443 -> 192.168.0.13:63778
|
121
|
+
10/06/2016-17:11:20.543656 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52373 -> 195.182.26.70:443
|
122
|
+
10/06/2016-17:11:20.594119 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52373
|
123
|
+
10/06/2016-17:11:23.117712 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52377 -> 195.182.26.70:443
|
124
|
+
10/06/2016-17:11:23.409590 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52379 -> 195.182.26.70:443
|
125
|
+
10/06/2016-17:11:23.165725 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52377
|
126
|
+
10/06/2016-17:11:23.456747 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52379
|
127
|
+
10/06/2016-17:11:23.706986 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52381 -> 195.182.26.70:443
|
128
|
+
10/06/2016-17:11:23.754938 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52381
|
129
|
+
10/06/2016-17:11:23.965564 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52383 -> 195.182.26.70:443
|
130
|
+
10/06/2016-17:11:24.013870 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52383
|
131
|
+
10/06/2016-17:11:26.529664 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52386 -> 195.182.26.70:443
|
132
|
+
10/06/2016-17:11:26.579047 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52386
|
133
|
+
10/06/2016-17:11:27.193283 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52388 -> 195.182.26.70:443
|
134
|
+
10/06/2016-17:11:27.205002 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52388
|
135
|
+
10/06/2016-17:11:29.563647 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52390 -> 195.182.26.70:443
|
136
|
+
10/06/2016-17:11:29.610961 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52390
|
137
|
+
10/06/2016-17:16:05.701318 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52415 -> 195.182.26.70:443
|
138
|
+
10/06/2016-17:16:05.748978 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52415
|
139
|
+
10/06/2016-18:27:22.260810 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52404 -> 195.182.26.70:443
|
140
|
+
10/06/2016-18:27:22.309444 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52404
|
141
|
+
10/06/2016-18:27:22.878087 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52406 -> 195.182.26.70:443
|
142
|
+
10/06/2016-18:27:23.116603 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52408 -> 195.182.26.70:443
|
143
|
+
10/06/2016-18:27:22.929708 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52406
|
144
|
+
10/06/2016-18:27:23.166721 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52408
|
145
|
+
10/06/2016-18:27:23.395819 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52410 -> 195.182.26.70:443
|
146
|
+
10/06/2016-18:27:23.443786 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52410
|
147
|
+
10/06/2016-19:03:04.751445 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:49344 -> 216.58.214.130:443
|
148
|
+
10/06/2016-19:03:04.754773 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.58.214.130:443 -> 192.168.0.13:49344
|
149
|
+
10/06/2016-21:31:41.925044 [**] [1:2402000:4200] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.240.144.65:42206 -> 192.168.0.5:443
|
150
|
+
10/06/2016-21:31:41.925044 [**] [1:2403302:2973] ET CINS Active Threat Intelligence Poor Reputation IP group 3 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.240.144.65:42206 -> 192.168.0.5:443
|
151
|
+
10/07/2016-04:48:38.031059 [**] [1:2500034:4093] ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 183.129.160.229:811 -> 192.168.0.5:80
|
data/misc/fast.log.2.gz
ADDED
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: suricata
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Wolfgang Hotwagner
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-01-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -71,13 +71,17 @@ files:
|
|
71
71
|
- bin/console
|
72
72
|
- bin/setup
|
73
73
|
- exe/check_suricata
|
74
|
+
- exe/surilizer.rb
|
74
75
|
- lib/suricata.rb
|
75
76
|
- lib/suricata/connection.rb
|
76
77
|
- lib/suricata/fast.rb
|
77
78
|
- lib/suricata/logfile.rb
|
78
79
|
- lib/suricata/nagios.rb
|
80
|
+
- lib/suricata/surilizer.rb
|
79
81
|
- lib/suricata/version.rb
|
80
82
|
- misc/fast.log
|
83
|
+
- misc/fast.log.1
|
84
|
+
- misc/fast.log.2.gz
|
81
85
|
- misc/whitelist.txt
|
82
86
|
- suricata.gemspec
|
83
87
|
homepage: https://github.com/whotwagner/suricata
|