suricata 0.2.1 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +54 -2
- data/exe/surilizer.rb +32 -0
- data/lib/suricata/fast.rb +4 -0
- data/lib/suricata/logfile.rb +10 -1
- data/lib/suricata/surilizer.rb +120 -0
- data/lib/suricata/version.rb +1 -1
- data/lib/suricata.rb +1 -0
- data/misc/fast.log.1 +151 -0
- data/misc/fast.log.2.gz +0 -0
- metadata +6 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 23facf078e973ea4a2a3f829ac363ab7a04ffe68
|
|
4
|
+
data.tar.gz: 37b07b5b458de9354fe3207e8c1d632ba2e1a802
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 07b2718ec993525bfb416686758af07a9df748550e334549c7175ec6d2d5ed8d8e1e27f737cccd61aa7996b6ed84945dfed1369407f58c8499856ba46e3a87a4
|
|
7
|
+
data.tar.gz: 9e4d48806d18f31b4470416e186295b9873b4111aa2ab47822c1039fa1c251baaad5b794052af67fafbbf2f32649f938eaca8727932131cfef61bc3d2bb77f02
|
data/README.md
CHANGED
|
@@ -31,7 +31,7 @@ Or install it yourself as:
|
|
|
31
31
|
This gem comes with a Nagios-plugin to search suricata's fast-logfile for specific strings in the threat-description.
|
|
32
32
|
|
|
33
33
|
```
|
|
34
|
-
Usage: check_suricata
|
|
34
|
+
Usage: check_suricata [ -a alertfile ] [ -w whitelistfile ] -e searchstring
|
|
35
35
|
-h, --help This help screen
|
|
36
36
|
-a, --alertfile ALERTFILE alertfile(default: /var/log/suricata/fast.log)
|
|
37
37
|
-w, --whitelist WHITELISTFILE whitelistfile
|
|
@@ -42,7 +42,7 @@ Usage: check_suricata.rb [ -a alertfile ] [ -w whitelistfile ] -e searchstring
|
|
|
42
42
|
|
|
43
43
|
It is possible to interactively acknowlege search hits so that they will not occur on the next search:
|
|
44
44
|
```
|
|
45
|
-
check_suricata
|
|
45
|
+
check_suricata -i -e "ET CHAT"
|
|
46
46
|
Acknowlege the following entry:
|
|
47
47
|
10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
|
|
48
48
|
Acknowlege(y|n): y
|
|
@@ -51,6 +51,58 @@ Acknowlege the following entry:
|
|
|
51
51
|
Acknowlege(y|n): n
|
|
52
52
|
```
|
|
53
53
|
|
|
54
|
+
### Logfile Analyzer
|
|
55
|
+
|
|
56
|
+
This gem comes with a logfile analyzer for suricata's fast.log. It's very easy to use and meant for using as a daily cronjob
|
|
57
|
+
```
|
|
58
|
+
Usage: surilizer.rb <fast.log | fast.log* | fast.log fast.2.log fast.3.log.gz >
|
|
59
|
+
|
|
60
|
+
surilizer.rb misc/fast.log
|
|
61
|
+
|
|
62
|
+
======== Suricata Log Analysis ========
|
|
63
|
+
Events: 11
|
|
64
|
+
Unique Sources: 3
|
|
65
|
+
Unique Events: 6
|
|
66
|
+
|
|
67
|
+
======== Unique Events =========
|
|
68
|
+
|
|
69
|
+
PRIORITY | DESCRIPTION
|
|
70
|
+
1 | ET POLICY Cleartext WordPress Login
|
|
71
|
+
1 | ET POLICY Http Client Body contains pwd= in cleartext
|
|
72
|
+
1 | ET CHAT Skype VOIP Checking Version (Startup)
|
|
73
|
+
2 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339
|
|
74
|
+
3 | GPL CHAT Jabber/Google Talk Outgoing Traffic
|
|
75
|
+
3 | SURICATA TCPv4 invalid checksum
|
|
76
|
+
|
|
77
|
+
======== Eventy by source ========
|
|
78
|
+
Source: 192.168.0.1
|
|
79
|
+
-> 8.8.8.8
|
|
80
|
+
1 x ET POLICY Cleartext WordPress Login Prio: 1
|
|
81
|
+
-> 8.8.8.1
|
|
82
|
+
1 x ET POLICY Http Client Body contains pwd= in cleartext Prio: 1
|
|
83
|
+
-> 4.3.2.1
|
|
84
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
|
85
|
+
-> 15.14.13.12
|
|
86
|
+
1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1
|
|
87
|
+
-> 8.4.3.7
|
|
88
|
+
1 x GPL CHAT Jabber/Google Talk Outgoing Traffic Prio: 3
|
|
89
|
+
-> 1.2.3.22
|
|
90
|
+
2 x SURICATA TCPv4 invalid checksum Prio: 3
|
|
91
|
+
-> 100.254.198.10
|
|
92
|
+
1 x ET CHAT Skype VOIP Checking Version (Startup) Prio: 1
|
|
93
|
+
|
|
94
|
+
Source: 212.69.166.153
|
|
95
|
+
-> 1.2.3.4
|
|
96
|
+
1 x ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339 Prio: 2
|
|
97
|
+
|
|
98
|
+
Source: 10.12.32.6
|
|
99
|
+
-> 42.42.42.42
|
|
100
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
|
101
|
+
-> 9.1.2.1
|
|
102
|
+
1 x SURICATA TCPv4 invalid checksum Prio: 3
|
|
103
|
+
|
|
104
|
+
```
|
|
105
|
+
|
|
54
106
|
## Documentation
|
|
55
107
|
|
|
56
108
|
[rubydoc.info](http://www.rubydoc.info/github/whotwagner/suricata/master)
|
data/exe/surilizer.rb
ADDED
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
#!/usr/bin/env ruby
|
|
2
|
+
|
|
3
|
+
require 'bundler/setup'
|
|
4
|
+
require 'suricata/surilizer'
|
|
5
|
+
|
|
6
|
+
def usage(prognam)
|
|
7
|
+
puts "Usage: #{prognam} <fast.log | fast.log.gz | fast.log fast.log.1.gz fast.log2.gz fast3.log>"
|
|
8
|
+
exit 0
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
begin
|
|
12
|
+
usage($PROGRAM_NAME) if ARGV.length == 0
|
|
13
|
+
surilizer = Suricata::Surilizer.new()
|
|
14
|
+
|
|
15
|
+
ARGV.each do |f|
|
|
16
|
+
if f =~ /.*.gz$/
|
|
17
|
+
Zlib::GzipReader.open(f) {|gz|
|
|
18
|
+
surilizer.logfile = Suricata::Logfile.new(nil,false,gz)
|
|
19
|
+
surilizer.analyze
|
|
20
|
+
surilizer.logfile.close
|
|
21
|
+
}
|
|
22
|
+
else
|
|
23
|
+
surilizer.logfile = Suricata::Logfile.new(f)
|
|
24
|
+
surilizer.analyze
|
|
25
|
+
surilizer.logfile.close
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
surilizer.result
|
|
29
|
+
rescue Errno::ENOENT => e
|
|
30
|
+
puts "#{e.message}\n"
|
|
31
|
+
exit 1
|
|
32
|
+
end
|
data/lib/suricata/fast.rb
CHANGED
data/lib/suricata/logfile.rb
CHANGED
|
@@ -41,12 +41,14 @@ attr_reader :file, :line
|
|
|
41
41
|
# constructor
|
|
42
42
|
# @param [String] logfile path and filename of the logfile
|
|
43
43
|
# @param [Boolean] autoopen calls open if true(default: true)
|
|
44
|
-
def initialize(logfile,autoopen=true)
|
|
44
|
+
def initialize(logfile,autoopen=true,file=nil)
|
|
45
45
|
@logfile = logfile
|
|
46
46
|
@parser = Suricata::Fast.new
|
|
47
47
|
|
|
48
48
|
if autoopen == true
|
|
49
49
|
open
|
|
50
|
+
else
|
|
51
|
+
@file = file if not file.nil?
|
|
50
52
|
end
|
|
51
53
|
end
|
|
52
54
|
|
|
@@ -89,6 +91,13 @@ def readline_parse
|
|
|
89
91
|
end
|
|
90
92
|
|
|
91
93
|
# this method reads a line of the logfile
|
|
94
|
+
#
|
|
95
|
+
# @example readline with a block
|
|
96
|
+
# log = Suricata::Logfile.new("misc/fast.log")
|
|
97
|
+
# log.readline do |n|
|
|
98
|
+
# puts n
|
|
99
|
+
# end
|
|
100
|
+
#
|
|
92
101
|
# @return [String] line current logfile entry
|
|
93
102
|
# @return [Boolean] false when EOF reached
|
|
94
103
|
# @yieldparam [String] @line current logfile entry
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
module Suricata
|
|
2
|
+
|
|
3
|
+
require 'suricata/logfile'
|
|
4
|
+
|
|
5
|
+
class Counter
|
|
6
|
+
attr_reader :count
|
|
7
|
+
|
|
8
|
+
def initialize(start=0)
|
|
9
|
+
@count = start
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def increase
|
|
13
|
+
@count += 1
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def to_s
|
|
17
|
+
"#{@count}"
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
#
|
|
24
|
+
# [src-ip][counter]
|
|
25
|
+
# [src-ip][dst]
|
|
26
|
+
# [src-ip][dst][counter]
|
|
27
|
+
# [src-ip][dst][desc][counter]
|
|
28
|
+
class Surilizer
|
|
29
|
+
|
|
30
|
+
attr_accessor :logfile
|
|
31
|
+
attr_reader :src, :lines
|
|
32
|
+
|
|
33
|
+
def initialize(file = nil)
|
|
34
|
+
|
|
35
|
+
@logfile = Suricata::Logfile.new(file) if not file.nil?
|
|
36
|
+
@src = Hash.new
|
|
37
|
+
@dst = Hash.new
|
|
38
|
+
@lines = Counter.new
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
|
|
42
|
+
|
|
43
|
+
def analyze()
|
|
44
|
+
@logfile.readline_parse do |entry|
|
|
45
|
+
@lines.increase
|
|
46
|
+
addCounter(@src,entry.conn.src)
|
|
47
|
+
addEntry(@src[entry.conn.src],'dst',Hash)
|
|
48
|
+
addCounter(@src[entry.conn.src]['dst'],entry.conn.dst)
|
|
49
|
+
addEntry(@src[entry.conn.src]['dst'][entry.conn.dst],'desc',Hash)
|
|
50
|
+
addCounter(@src[entry.conn.src]['dst'][entry.conn.dst]['desc'],entry.description)
|
|
51
|
+
@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['prio'] = entry.priority
|
|
52
|
+
@src[entry.conn.src]['dst'][entry.conn.dst]['desc'][entry.description]['class'] = entry.classification
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def getUniqEvents
|
|
59
|
+
a = Array.new
|
|
60
|
+
@src.each do |key,val|
|
|
61
|
+
val['dst'].each do |keya,vala|
|
|
62
|
+
val['dst'][keya]['desc'].each do |keyb,valb|
|
|
63
|
+
a.push([keyb,val['dst'][keya]['desc'][keyb]['prio']])
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
return a.uniq
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def result
|
|
73
|
+
events = getUniqEvents
|
|
74
|
+
puts "======== Suricata Log Analysis ========"
|
|
75
|
+
puts "Events: #{@lines}"
|
|
76
|
+
puts "Unique Sources: #{@src.length}"
|
|
77
|
+
puts "Unique Events: #{events.length}"
|
|
78
|
+
puts "\n"
|
|
79
|
+
puts "======== Unique Events ========="
|
|
80
|
+
puts "\n"
|
|
81
|
+
puts "PRIORITY\t| DESCRIPTION "
|
|
82
|
+
events.sort{ |x,y| x[1] <=> y[1]}.each do |e|
|
|
83
|
+
puts "#{e[1]}\t\t| #{e[0]}"
|
|
84
|
+
end
|
|
85
|
+
puts "\n"
|
|
86
|
+
|
|
87
|
+
puts "======== Eventy by source ========"
|
|
88
|
+
@src.each do |key,val|
|
|
89
|
+
puts "Source: #{key}"
|
|
90
|
+
val['dst'].each do |keya,vala|
|
|
91
|
+
puts "\t-> #{keya}\n"
|
|
92
|
+
val['dst'][keya]['desc'].each do |keyb,valb|
|
|
93
|
+
puts "\t\t#{valb['counter'].count} x #{keyb} Prio: #{valb['prio']}\n"
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
end
|
|
97
|
+
puts ""
|
|
98
|
+
end
|
|
99
|
+
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
private
|
|
103
|
+
def addCounter(val,entry)
|
|
104
|
+
if not val.key?(entry)
|
|
105
|
+
val[entry] = Hash.new
|
|
106
|
+
val[entry]['counter'] = Counter.new(1)
|
|
107
|
+
else
|
|
108
|
+
val[entry]['counter'].increase
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
def addEntry(val,entry,type)
|
|
113
|
+
if not val.key?(entry)
|
|
114
|
+
val[entry] = type.new
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
end
|
data/lib/suricata/version.rb
CHANGED
data/lib/suricata.rb
CHANGED
data/misc/fast.log.1
ADDED
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
10/06/2016-07:14:39.186933 [**] [1:2500034:4093] ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 183.129.160.229:16192 -> 192.168.0.5:80
|
|
2
|
+
10/06/2016-09:44:22.405503 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:61214 -> 213.185.164.216:80
|
|
3
|
+
10/06/2016-09:59:15.555306 [**] [1:2019401:14] ET POLICY Vulnerable Java Version 1.8.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.27:49286 -> 23.37.43.27:80
|
|
4
|
+
10/06/2016-09:59:15.647027 [**] [1:2019401:14] ET POLICY Vulnerable Java Version 1.8.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.27:49288 -> 23.37.43.27:80
|
|
5
|
+
10/06/2016-10:00:47.457385 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:59845 -> 172.217.21.98:443
|
|
6
|
+
10/06/2016-10:00:47.458093 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.217.21.98:443 -> 192.168.0.13:59845
|
|
7
|
+
10/06/2016-10:00:47.518407 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:59847 -> 185.33.220.5:443
|
|
8
|
+
10/06/2016-10:00:47.518947 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 185.33.220.5:443 -> 192.168.0.13:59847
|
|
9
|
+
10/06/2016-10:01:22.040337 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49760 -> 195.182.26.70:443
|
|
10
|
+
10/06/2016-10:01:22.092234 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49760
|
|
11
|
+
10/06/2016-10:01:22.984315 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49762 -> 195.182.26.70:443
|
|
12
|
+
10/06/2016-10:01:23.032643 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49762
|
|
13
|
+
10/06/2016-10:01:23.500111 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49764 -> 195.182.26.70:443
|
|
14
|
+
10/06/2016-10:01:23.547588 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49764
|
|
15
|
+
10/06/2016-10:01:23.777248 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49766 -> 195.182.26.70:443
|
|
16
|
+
10/06/2016-10:01:23.826879 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49766
|
|
17
|
+
10/06/2016-10:01:25.072561 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49768 -> 195.182.26.70:443
|
|
18
|
+
10/06/2016-10:01:25.122716 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49768
|
|
19
|
+
10/06/2016-10:01:39.295768 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49774 -> 195.182.26.70:443
|
|
20
|
+
10/06/2016-10:01:39.343762 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49774
|
|
21
|
+
10/06/2016-10:01:43.694306 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49776 -> 195.182.26.70:443
|
|
22
|
+
10/06/2016-10:01:43.743578 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49776
|
|
23
|
+
10/06/2016-10:01:46.065983 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:49779 -> 195.182.26.70:443
|
|
24
|
+
10/06/2016-10:01:46.115559 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:49779
|
|
25
|
+
10/06/2016-10:44:22.352988 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:62401 -> 213.185.164.216:80
|
|
26
|
+
10/06/2016-11:24:34.439602 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50361 -> 195.182.26.70:443
|
|
27
|
+
10/06/2016-11:24:34.490234 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50361
|
|
28
|
+
10/06/2016-11:24:34.952874 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50363 -> 195.182.26.70:443
|
|
29
|
+
10/06/2016-11:24:35.003259 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50363
|
|
30
|
+
10/06/2016-11:24:35.398791 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50365 -> 195.182.26.70:443
|
|
31
|
+
10/06/2016-11:24:35.688142 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50367 -> 195.182.26.70:443
|
|
32
|
+
10/06/2016-11:24:35.454109 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50365
|
|
33
|
+
10/06/2016-11:24:35.739529 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50367
|
|
34
|
+
10/06/2016-11:24:41.738544 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50369 -> 195.182.26.70:443
|
|
35
|
+
10/06/2016-11:24:41.787304 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50369
|
|
36
|
+
10/06/2016-11:24:44.080325 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50372 -> 195.182.26.70:443
|
|
37
|
+
10/06/2016-11:24:44.130042 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50372
|
|
38
|
+
10/06/2016-11:24:44.809038 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50374 -> 195.182.26.70:443
|
|
39
|
+
10/06/2016-11:24:44.856946 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50374
|
|
40
|
+
10/06/2016-11:25:39.392733 [**] [1:2402000:4200] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.216.43:443 -> 192.168.0.5:443
|
|
41
|
+
10/06/2016-11:25:39.392733 [**] [1:2403302:2973] ET CINS Active Threat Intelligence Poor Reputation IP group 3 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.216.43:443 -> 192.168.0.5:443
|
|
42
|
+
10/06/2016-11:33:03.671111 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50682 -> 195.182.26.70:443
|
|
43
|
+
10/06/2016-11:33:03.719371 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50682
|
|
44
|
+
10/06/2016-11:33:04.211684 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50684 -> 195.182.26.70:443
|
|
45
|
+
10/06/2016-11:33:04.260356 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50684
|
|
46
|
+
10/06/2016-11:33:04.869569 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50686 -> 195.182.26.70:443
|
|
47
|
+
10/06/2016-11:33:04.919184 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50686
|
|
48
|
+
10/06/2016-11:33:05.779465 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50688 -> 195.182.26.70:443
|
|
49
|
+
10/06/2016-11:33:05.790281 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50688
|
|
50
|
+
10/06/2016-11:33:08.934400 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50690 -> 195.182.26.70:443
|
|
51
|
+
10/06/2016-11:33:08.981786 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50690
|
|
52
|
+
10/06/2016-11:38:43.580726 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50707 -> 195.182.26.70:443
|
|
53
|
+
10/06/2016-11:38:43.630861 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50707
|
|
54
|
+
10/06/2016-11:42:45.210344 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50744 -> 195.182.26.70:443
|
|
55
|
+
10/06/2016-11:42:45.260877 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50744
|
|
56
|
+
10/06/2016-11:42:45.503674 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50746 -> 195.182.26.70:443
|
|
57
|
+
10/06/2016-11:42:45.554973 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50746
|
|
58
|
+
10/06/2016-11:42:45.813082 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50748 -> 195.182.26.70:443
|
|
59
|
+
10/06/2016-11:42:45.862735 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50748
|
|
60
|
+
10/06/2016-11:42:46.106513 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50750 -> 195.182.26.70:443
|
|
61
|
+
10/06/2016-11:42:46.364219 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50752 -> 195.182.26.70:443
|
|
62
|
+
10/06/2016-11:42:46.411981 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50752
|
|
63
|
+
10/06/2016-11:42:46.155033 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50750
|
|
64
|
+
10/06/2016-11:42:53.320067 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50756 -> 195.182.26.70:443
|
|
65
|
+
10/06/2016-11:42:53.370898 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50756
|
|
66
|
+
10/06/2016-11:42:53.711102 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50758 -> 195.182.26.70:443
|
|
67
|
+
10/06/2016-11:42:53.721841 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50758
|
|
68
|
+
10/06/2016-11:42:54.872327 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50760 -> 195.182.26.70:443
|
|
69
|
+
10/06/2016-11:42:54.923655 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50760
|
|
70
|
+
10/06/2016-11:44:22.320503 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63642 -> 213.185.164.216:80
|
|
71
|
+
10/06/2016-11:46:51.362738 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:50798 -> 195.182.26.70:443
|
|
72
|
+
10/06/2016-11:46:51.412815 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:50798
|
|
73
|
+
10/06/2016-11:54:23.928145 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63864 -> 213.185.164.216:80
|
|
74
|
+
10/06/2016-11:54:44.314769 [**] [1:2015561:2] ET INFO PDF Using CCITTFax Filter [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 87.106.10.40:80 -> 192.168.0.13:62018
|
|
75
|
+
10/06/2016-11:55:37.777647 [**] [1:2013224:12] ET POLICY Suspicious User-Agent Containing .exe [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.0.21:63876 -> 213.185.164.216:80
|
|
76
|
+
10/06/2016-12:42:18.524190 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50701 -> 195.182.26.70:443
|
|
77
|
+
10/06/2016-12:42:18.572171 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50701
|
|
78
|
+
10/06/2016-12:42:18.878037 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50703 -> 195.182.26.70:443
|
|
79
|
+
10/06/2016-12:42:18.926799 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50703
|
|
80
|
+
10/06/2016-12:42:19.574259 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50705 -> 195.182.26.70:443
|
|
81
|
+
10/06/2016-12:42:19.626434 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50705
|
|
82
|
+
10/06/2016-12:42:20.022120 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50707 -> 195.182.26.70:443
|
|
83
|
+
10/06/2016-12:42:20.072932 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50707
|
|
84
|
+
10/06/2016-12:42:20.339976 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50709 -> 195.182.26.70:443
|
|
85
|
+
10/06/2016-12:42:20.389370 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50709
|
|
86
|
+
10/06/2016-12:42:25.100167 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50712 -> 195.182.26.70:443
|
|
87
|
+
10/06/2016-12:42:25.151540 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50712
|
|
88
|
+
10/06/2016-12:42:27.593697 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:50715 -> 195.182.26.70:443
|
|
89
|
+
10/06/2016-12:42:27.641473 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:50715
|
|
90
|
+
10/06/2016-12:49:46.811236 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.17:58206 -> 136.243.54.218:443
|
|
91
|
+
10/06/2016-12:49:46.834430 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 136.243.54.218:443 -> 192.168.0.17:58206
|
|
92
|
+
10/06/2016-12:49:48.305316 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.17:58275 -> 37.252.172.70:443
|
|
93
|
+
10/06/2016-12:49:48.540260 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.252.172.70:443 -> 192.168.0.17:58275
|
|
94
|
+
10/06/2016-13:55:27.681946 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51297 -> 195.182.26.70:443
|
|
95
|
+
10/06/2016-13:55:27.733038 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51297
|
|
96
|
+
10/06/2016-13:55:28.007280 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51299 -> 195.182.26.70:443
|
|
97
|
+
10/06/2016-13:55:28.055659 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51299
|
|
98
|
+
10/06/2016-13:55:28.295711 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51301 -> 195.182.26.70:443
|
|
99
|
+
10/06/2016-13:55:28.342795 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51301
|
|
100
|
+
10/06/2016-13:55:28.579846 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51303 -> 195.182.26.70:443
|
|
101
|
+
10/06/2016-13:55:28.628843 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51303
|
|
102
|
+
10/06/2016-13:55:29.057794 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51305 -> 195.182.26.70:443
|
|
103
|
+
10/06/2016-13:55:29.067345 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51305
|
|
104
|
+
10/06/2016-13:55:30.919653 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51307 -> 195.182.26.70:443
|
|
105
|
+
10/06/2016-13:55:30.967892 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51307
|
|
106
|
+
10/06/2016-13:58:30.794280 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:51339 -> 195.182.26.70:443
|
|
107
|
+
10/06/2016-13:58:30.843475 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:51339
|
|
108
|
+
10/06/2016-14:14:25.524991 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51087 -> 195.182.26.70:443
|
|
109
|
+
10/06/2016-14:14:25.574540 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51087
|
|
110
|
+
10/06/2016-14:14:25.830298 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51089 -> 195.182.26.70:443
|
|
111
|
+
10/06/2016-14:14:25.879511 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51089
|
|
112
|
+
10/06/2016-14:14:26.072196 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51091 -> 195.182.26.70:443
|
|
113
|
+
10/06/2016-14:14:26.123644 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51091
|
|
114
|
+
10/06/2016-14:14:27.566537 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:51093 -> 195.182.26.70:443
|
|
115
|
+
10/06/2016-14:14:27.614581 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:51093
|
|
116
|
+
10/06/2016-14:26:04.796851 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 173.194.62.246:80 -> 192.168.0.22:49267
|
|
117
|
+
10/06/2016-15:13:43.419337 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 172.227.186.144:80 -> 192.168.0.12:49697
|
|
118
|
+
10/06/2016-15:25:42.722773 [**] [1:2018959:2] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 104.84.190.186:80 -> 192.168.0.22:49449
|
|
119
|
+
10/06/2016-17:06:50.928856 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:63778 -> 136.243.39.93:443
|
|
120
|
+
10/06/2016-17:06:50.965275 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 136.243.39.93:443 -> 192.168.0.13:63778
|
|
121
|
+
10/06/2016-17:11:20.543656 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52373 -> 195.182.26.70:443
|
|
122
|
+
10/06/2016-17:11:20.594119 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52373
|
|
123
|
+
10/06/2016-17:11:23.117712 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52377 -> 195.182.26.70:443
|
|
124
|
+
10/06/2016-17:11:23.409590 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52379 -> 195.182.26.70:443
|
|
125
|
+
10/06/2016-17:11:23.165725 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52377
|
|
126
|
+
10/06/2016-17:11:23.456747 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52379
|
|
127
|
+
10/06/2016-17:11:23.706986 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52381 -> 195.182.26.70:443
|
|
128
|
+
10/06/2016-17:11:23.754938 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52381
|
|
129
|
+
10/06/2016-17:11:23.965564 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52383 -> 195.182.26.70:443
|
|
130
|
+
10/06/2016-17:11:24.013870 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52383
|
|
131
|
+
10/06/2016-17:11:26.529664 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52386 -> 195.182.26.70:443
|
|
132
|
+
10/06/2016-17:11:26.579047 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52386
|
|
133
|
+
10/06/2016-17:11:27.193283 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52388 -> 195.182.26.70:443
|
|
134
|
+
10/06/2016-17:11:27.205002 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52388
|
|
135
|
+
10/06/2016-17:11:29.563647 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52390 -> 195.182.26.70:443
|
|
136
|
+
10/06/2016-17:11:29.610961 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52390
|
|
137
|
+
10/06/2016-17:16:05.701318 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.20:52415 -> 195.182.26.70:443
|
|
138
|
+
10/06/2016-17:16:05.748978 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.20:52415
|
|
139
|
+
10/06/2016-18:27:22.260810 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52404 -> 195.182.26.70:443
|
|
140
|
+
10/06/2016-18:27:22.309444 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52404
|
|
141
|
+
10/06/2016-18:27:22.878087 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52406 -> 195.182.26.70:443
|
|
142
|
+
10/06/2016-18:27:23.116603 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52408 -> 195.182.26.70:443
|
|
143
|
+
10/06/2016-18:27:22.929708 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52406
|
|
144
|
+
10/06/2016-18:27:23.166721 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52408
|
|
145
|
+
10/06/2016-18:27:23.395819 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.23:52410 -> 195.182.26.70:443
|
|
146
|
+
10/06/2016-18:27:23.443786 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 195.182.26.70:443 -> 192.168.0.23:52410
|
|
147
|
+
10/06/2016-19:03:04.751445 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.13:49344 -> 216.58.214.130:443
|
|
148
|
+
10/06/2016-19:03:04.754773 [**] [1:2230003:1] SURICATA TLS invalid handshake message [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.58.214.130:443 -> 192.168.0.13:49344
|
|
149
|
+
10/06/2016-21:31:41.925044 [**] [1:2402000:4200] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.240.144.65:42206 -> 192.168.0.5:443
|
|
150
|
+
10/06/2016-21:31:41.925044 [**] [1:2403302:2973] ET CINS Active Threat Intelligence Poor Reputation IP group 3 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.240.144.65:42206 -> 192.168.0.5:443
|
|
151
|
+
10/07/2016-04:48:38.031059 [**] [1:2500034:4093] ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 183.129.160.229:811 -> 192.168.0.5:80
|
data/misc/fast.log.2.gz
ADDED
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: suricata
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Wolfgang Hotwagner
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-01-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -71,13 +71,17 @@ files:
|
|
|
71
71
|
- bin/console
|
|
72
72
|
- bin/setup
|
|
73
73
|
- exe/check_suricata
|
|
74
|
+
- exe/surilizer.rb
|
|
74
75
|
- lib/suricata.rb
|
|
75
76
|
- lib/suricata/connection.rb
|
|
76
77
|
- lib/suricata/fast.rb
|
|
77
78
|
- lib/suricata/logfile.rb
|
|
78
79
|
- lib/suricata/nagios.rb
|
|
80
|
+
- lib/suricata/surilizer.rb
|
|
79
81
|
- lib/suricata/version.rb
|
|
80
82
|
- misc/fast.log
|
|
83
|
+
- misc/fast.log.1
|
|
84
|
+
- misc/fast.log.2.gz
|
|
81
85
|
- misc/whitelist.txt
|
|
82
86
|
- suricata.gemspec
|
|
83
87
|
homepage: https://github.com/whotwagner/suricata
|