Reality based Suricata

Suricata and Bro fighting malware together

Created by Michal Purzynski / @michalpurzynski Mozilla Corporation. Enterprise Information Security team.

ETPRO TROJAN XCodeGhost Beacon 2 ET TROJAN XcodeGhost CnC M2 2 ET TROJAN XcodeGhost CnC Checkin 2 ET TROJAN XCodeGhost DNS Lookup 2
                        
bro@nsm1-mtv2:/nsm/bro/logs$ zcat 2016-08-22/dns.* | bro-cut id.orig_h query answers | egrep '10.252.35.219' | sort | uniq -c | sort -n
(...)
1 10.252.35.219   init.icloud-analysis.com    5.79.71.205,5.79.71.225,85.17.31.82,85.17.31.122,178.162.203.202,178.162.203.211,178.162.203.226,178.162.217.107
2 10.252.35.219   g1.163.com  123.58.176.66,123.58.176.65,123.58.179.210,123.58.179.240
2 10.252.35.219   music.163.com   103.251.128.85,103.251.128.86
                        
                    
                        
10.252.35.219   POST    init.icloud-analysis.com    /   -   %E7%BD%91%E6%98%93%E4%BA%91%E9%9F%B3%E4%B9%90/2.8.2 CFNetwork/758.5.3 Darwin/15.6.0 -   -   -   
10.252.35.219   POST    init.icloud-analysis.com    /   -   %E7%BD%91%E6%98%93%E4%BA%91%E9%9F%B3%E4%B9%90/2.8.2 CFNetwork/758.5.3 Darwin/15.6.0 -   -   -   
                        
                    
                        
bro@nsm1-mtv2:/nsm/bro/logs/2016-08-22$ zcat dhcp.* | egrep '10.252.35.219' | head -1
1471894350.300685   CTziht3xbzECu9epCa  10.252.75.120   67  10.252.32.1 67  a0:99:9b:6b:b6:ca   10.252.35.219   43200.000000    2271882108
                        
                        
bro@nsm1-mtv2:/nsm/bro/logs/2016-08-22$ zcat ../2016-08-*/dhcp.* | egrep 'a0:99:9b:6b:b6:ca' | wc -l
106
                        
                    

(a story)

Who are you?

HTTP logs - User Agent iPhone; iPhone OS 9.3.4; zh-Hans_US

HTTP / SSL / DNS logs - multiple Mandarin apps

DHCP logs - user visits MTV2 irregularly

Opportunistic connections to the Guest WiFi. Little to no traffic.

Badging system logs!!

whoami (building credentials)

Protecting Mozilla users, and that includes YOU

The Team released MozDef, MIG, tons of Bro scripts

observatory.mozilla.org

"A human wireshark". A threat. Management.

We had a long journey to Suricata!!

(an excuse to show 'funny' photos)

NSM in Mozilla

9Offices
3Continents
1Datacenter
XAWS

From 2012. Netoptics, now Arista.

(our 'global/cloud' infrastructure)

Monitor internal and external traffic

(a 'serious' diagram)

Our ruleset

Emerging Threats Pro

Local rules

10 000 rules are active North - South

11 000 rules active everywhere

Rules are like insurance

Definitions are everything

HOME_NET: our networks

EXTERNAL_NET: "any"

REALLY_EXTERNAL_NET: "!$HOME_NET"

(very different from your usual configuration)

How do you avoid false positives?

Change direction by category

Catch one offs

Example: TROJAN will be only active for

REALLY_EXTERNAL_NET: -> "!$HOME_NET"

"!$HOME_NET" -> REALLY_EXTERNAL_NET:

What to catch North-South

CnC - likely

A stage of infection - if lucky

Exfiltration? Unlikely

(Michal - telling like it is from 19XX)

North --> South rules

MALWARE

TROJAN

WORM

P2P

GAMES

EXPLOIT - up2you

WEB_CLIENT

A tangible piece of advice

Rules active everywhere

CURRENT_EVENTS

POLICY - worth the tuning (a lot, a lot)

INFO - will surprise you (after tuning)

USER_AGENTS - your daily source of joy

A tangible piece of advice

Rule tunig tips

Disable unnecessary categories - disablesid.conf

Disable or silence only the most noisy sids

Hint: it's OK to not be perfect!

Rewrite by category

Be operationally efficient. Your time costs more than RAM!

74 lines - modifysid.conf

79 lines - disablesid.conf

That's it for tuning :-)

Several Kibanas and 2x 4K 24 inches

"Suricata - interesting"

daily hunting

"Suricata"- every single match. Used for context

"/nsm/bro/logs/" - used for more context ;)

(hint: that’s not suri)

(hint2: could well be, hi, eve-log)

Select interesting events

Cnc, phishing, current_events, checkin, java = trojan, pdf = exploit, flash = suspicious, malware, domain, a_local_sids_set and more

In a real world

How do we hunt?

Filter out context-only events

Check everything else, lookup context JIT, correlate by IP

Interesting? Maybe

ET MALWARE Suspicious User-Agent (1 space)
ET INFO Suspicious Mozilla UA with no Space after colon

il buono

Interesting? Yes!

ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2
ETPRO MALWARE PUP Win32/4Shared.D Checkin 1
ETPRO TROJAN StrongPity SSL Cert 2
ET POLICY Vulnerable Java Version 1.8.x Detected
ETPRO MALWARE PUP Win32/4Shared.D Checkin 1

il brutto

OK, that's obvious :-)

ETPRO MALWARE Win32/PCKeeper PUP Activity
ET TROJAN AntiVirus exe Download Likely FakeAV Install
ET MALWARE Win32/InstallCore Initial Install Activity 1
ETPRO MALWARE Win32/InstallCore Initial Install Activity 2

il cattivo

How about this?


ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download",
ET POLICY PE EXE or DLL Windows file download
ET POLICY PE EXE or DLL Windows file download
ET POLICY PE EXE or DLL Windows file download
ET POLICY PE EXE or DLL Windows file download
ET POLICY PE EXE or DLL Windows file download
ET POLICY PE EXE or DLL Windows file download
ETPRO MALWARE Win32/PCKeeper PUP Activity
ETPRO MALWARE Win32/PCKeeper PUP Activity
ET POLICY PE EXE or DLL Windows file download
ET MALWARE Possible FakeAV Binary Download
ET TROJAN AntiVirus exe Download Likely FakeAV Install
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO EXE - Served Attached HTTP
ET MALWARE Win32/InstallCore Initial Install Activity 1
ET MALWARE Win32/InstallCore Initial Install Activity 1
ETPRO MALWARE Win32/InstallCore Initial Install Activity 2
ET POLICY PE EXE or DLL Windows file download
ET INFO EXE - Served Attached HTTP
                    

Likely a true positive. Likely is not enough

Trust matters

conn.log - dns.log - http.log - ssl.log - x509.log - radius.log - dhcp.log

                        
2016-07-15T17:39:54+0000    C4uKjW65TBDf4szi5   10.252.28.186   58430   54.210.191.0    80  1   GET download.pckeeper.com   /download.php?affid=mzb_260.12068868.1468604394.20.mzb&utm_source=irs&utm_medium=ppi&utm_campaign=pck_irs_ppi_t17_AV_ff&utm_term=&utm_content=&userDefiner=mzb_2410&trt=32_1049070001&tid_ext=217;YD0E0ETD0CYDTDYCTDYE0E0BYDTC0EYC2RTBTDTCYCTDYBTCYDTCTDTAZYTBZYYEYCTD  -   PCKInstaller 1.1.957.8  0   1427040 200 OK  -   -   -   (empty) -   FgXZ4O2CHKa6CAGatc  application/x-dosexec   -   -   1.1
2016-07-15T17:39:56+0000    Cg4wDIyAY57iEt8h8   10.252.28.186   58439   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=InstallInit|VER_1.1.1049_VER&prodID=32&affid=153.6970914.1409408191.6.mzb&trt=17&bundleId=AV:1.1.1049.0.0:17    -   PCKInstaller 1.1.957.8  0   28  200 OK  -   -   -   (empty) -   -   -   -   -   FCskr83Cwd3wpAFu6j  text/plain  -   -   1.1
2016-07-15T17:39:56+0000    Cg4wDIyAY57iEt8h8   10.252.28.186   58439   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=InstallInit|VER_1.1.957_VER&prodID=PCKInstaller&affid=153.6970914.1409408191.6.mzb&trt=0&bundleId=AV:1.1.1049.0.0:17 -   PCKInstaller 1.1.957.8  0   28  200 OK  -   -   (empty) -   -   -   -   -   FaMSf6ahxBWySNDXf   text/plain  -   -   1.1
2016-07-15T17:39:59+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=OtherAVInstalled1|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FI7bdx1VxnUejyurTb  text/plain  -   -   1.1
2016-07-15T17:39:59+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=OtherAVInstalled1|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FXo3CcaYpz1hyJeej   text/plain  -   -   1.1
2016-07-15T17:39:59+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  3   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AV_Installed_KASPERSKY ENDPOINT SECURITY 10 FOR WINDOWS|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FldiS4pwOY3ePxg92   text/plain  1.1
2016-07-15T17:40:00+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  4   GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=AV_Installed_KASPERSKY ENDPOINT SECURITY 10 FOR WINDOWS|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  30  200 OK  -   -   -   (empty) -   -   -   -   -   F7yYAvZEmMePgH0Mj   text/plain  -   -   1.1
2016-07-15T17:40:00+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  5   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=OtherAntiSpywareInstalled1|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FPTDkM2GsM4qn6f2g1  text/plain  -   -   1.1
2016-07-15T17:40:00+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  6   GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=OtherAntiSpywareInstalled1|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   FngExSN5alF4k3Dsd   text/plain  -   -   1.1
2016-07-15T17:40:00+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  7   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AntiSpyware_Installed_KASPERSKY ENDPOINT SECURITY 10 FOR WINDOWS|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FKvwiqfAaIiVGkTyh   text/plain  -   -   1.1
2016-07-15T17:39:59+0000    CJkoAg4fmQ2KRPGT9c  10.252.28.186   58462   205.251.215.170 80  1   GET cdn.pckeeper.com    /pckeeper/dist/vcredist_x64.exe -   PCKInstaller 1.1.957.8  0   5225304 200 OK  -   -   (empty) -   -   -   -   -   Ftgz2rUe8inyglBUk   application/x-dosexec   -   -   1.1
2016-07-15T17:40:00+0000    CJkoAg4fmQ2KRPGT9c  10.252.28.186   58462   205.251.215.170 80  2   GET cdn.pckeeper.com    /pckeeper/accsvc/builds/1.1.69.0/AccountSvc64.msi?affid=260.12068868.1468604394.20.mzb  -   PCKInstaller 1.1.957.8  0   737280  200 OK  -   -   -   (empty) -   -   -   -   -   F4nsWj2r1Un9NtpMnd  application/msword  -   -   1.1
2016-07-15T17:40:00+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  8   GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=AntiSpyware_Installed_KASPERSKY ENDPOINT SECURITY 10 FOR WINDOWS|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FUpppYzJpAMf4aUC5   text/plain  -   -   1.1
2016-07-15T17:40:01+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  9   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=DotNet45Installed|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FMWl7YiaIxpxjhGLb   text/plain  -   -   1.1
2016-07-15T17:40:01+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  10  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=DotNet45Installed|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FnaR7g2UOtSuPOFEk8  text/plain  -   -   1.1
2016-07-15T17:40:01+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  11  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=DropboxIsNotInstalled|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   F0o2bC287PT8V3o6K9  text/plain  -   -   1.1
2016-07-15T17:40:01+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  12  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=DropboxIsNotInstalled|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FN8OPj3r8AXKUXF1gi  text/plain  -   -   1.1
2016-07-15T17:40:02+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  13  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=InstallRun|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty)FgDyny1gzAtc1mwlXd   text/plain  -   -   1.1
2016-07-15T17:40:02+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  14  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=InstallRun|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FPRNTU34a1LsbU2KM8  text/plain  -   -   1.1
2016-07-15T17:40:02+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  15  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=InstallSilent|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty)Fenwr83FApLNPf05lg   text/plain  -   -   1.1
2016-07-15T17:40:02+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  16  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=InstallSilent|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FsHlVJ1c9aEYagkd37  text/plain  -   -   1.1
2016-07-15T17:40:01+0000    CJkoAg4fmQ2KRPGT9c  10.252.28.186   58462   205.251.215.170 80  3   GET cdn.pckeeper.com    /pckeeper/security/builds/1.1.1049.0/PCKAV64.msi?affid=260.12068868.1468604394.20.mzb   -   PCKInstaller 1.1.957.8  0   8105984 200 OK  -   -   -   (empty) -   -   -   -   -   F0lRiXfDJ2aNH0WN4   application/msword  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  17  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=InstallStart|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty)FUtJOf3n0nwUJM5zfc   text/plain  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  18  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=InstallStart|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FsPZWS33FBGeHOGXkh  text/plain  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  19  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Started_VS2008|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   Fg9sxe4TteSrgGz8xe  text/plain  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  20  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Started_VS2008|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   F915XF2OUYCeKMBhFi  text/plain  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  21  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Finished_VS2008|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FH63DP3uoA01w0WmJf  text/plain  -   -   1.1
2016-07-15T17:40:03+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  22  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Finished_VS2008|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   Fyje5x1Bx4QPBKer59  text/plain  -   -   1.1
2016-07-15T17:40:04+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  23  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Started_AccSvc|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FR3FCV38jrdQnBBRxl  text/plain  -   -   1.1
2016-07-15T17:40:04+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  24  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Started_AccSvc|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   FKgnxG2KIGWAUrbaRk  text/plain  -   -   1.1
2016-07-15T17:40:04+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  25  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Started_VS2008|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FOkg8C3xf00Xp9pi91  text/plain  -   -   1.1
2016-07-15T17:40:04+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  26  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Started_VS2008|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FOiuEV3tfzpSSCn2W7  text/plain  -   -   1.1
2016-07-15T17:40:04+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  27  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Finished_AccSvc|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   F0k13v4bfOkxhAi3z2  text/plain  -   -   1.1
2016-07-15T17:40:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  28  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Finished_AccSvc|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   F6mv0o1LodqvQx2rP2  text/plain  -   -   1.1
2016-07-15T17:40:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  29  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Started_PCKAV|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FjPg0XHVBvoArxJo6   text/plain  -   -   1.1
2016-07-15T17:40:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  30  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Started_PCKAV|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FpovEo1VIqoGsG5foh  text/plain  -   -   1.1
2016-07-15T17:40:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  31  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Download_Finished_PCKAV|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FdseGbZifCB7t1MMg   text/plain  -   -   1.1
2016-07-15T17:40:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  32  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Download_Finished_PCKAV|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   FJeXix1wvzVt457qdl  text/plain  -   -   1.1
2016-07-15T17:40:26+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  33  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Finished_VS2008|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FNUpy4NPIINZc59Vi   text/plain  -   -   1.1
2016-07-15T17:40:26+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  34  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Finished_VS2008|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   FMSyAS2BQ6O5xvnaIe  text/plain  -   -   1.1
2016-07-15T17:40:26+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  35  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Started_AccSvc|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   F2eSpe10j9NSGHL8g4  text/plain  -   -   1.1
2016-07-15T17:40:26+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  36  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Started_AccSvc|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   Fz4qMv3gc1JKKoNBgc  text/plain  -   -   1.1
2016-07-15T17:40:35+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  37  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Finished_AccSvc|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001   -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FgkpdL1G9Ye6zFguel  text/plain  -   -   1.1
2016-07-15T17:40:35+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  38  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Finished_AccSvc|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  (empty) -   -   -   -   -   FWvLi92BPR3zLmjXx7  text/plain  -   -   1.1
2016-07-15T17:40:36+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  39  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Started_PCKAV|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FmdXO72UsnCmcVB89b  text/plain  -   -   1.1
2016-07-15T17:40:36+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  40  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Started_PCKAV|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FLUw2y2oYujMMzNZgf  text/plain  -   -   1.1
2016-07-15T17:41:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  41  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=Install_Finished_PCKAV|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001    -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FUobO01fSxF1Dso533  text/plain  -   -   1.1
2016-07-15T17:41:05+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  42  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=Install_Finished_PCKAV|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   (empty) -   -   -   -   -   FPrDvD1aJskC8TPvn6  text/plain  -   -   1.1
2016-07-15T17:41:06+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  43  GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=InstallFinish|VER_1.1.1049_VER&prodID=32&affid=260.12068868.1468604394.20.mzb&trt=17&bundleId=32_1049070001 -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   -   (empty)FGTGI3E8bWqe24069    text/plain  -   -   1.1
2016-07-15T17:41:06+0000    CM2Vh1chCZvJXiaM8   10.252.28.186   58460   23.22.68.216    80  44  GET event.pckeeper.com  /event.php?step=PCKInstallerEventStat&mess=InstallFinish|VER_1.1.957_VER&prodID=PCKInstaller&affid=260.12068868.1468604394.20.mzb&trt=0&bundleId=32_1049070001  -   PCKInstaller 1.1.957.8  0   30  200 OK  -   -   (empty) -   -   -   -   -   FPBZCB1GaUndfcd67h  text/plain  -   -   1.1
2016-07-15T17:41:07+0000    C3DP3z3I7za9d5nIi9  10.252.28.186   58888   52.205.153.76   80  1   GET av.pckeeper.com /ocf/av/check-offline-base?in7z=1   -   -   0   157 200 OK  -   -   -   (empty)Fp5oiD1ndRBsEkgjE4   text/json   -   -   1.1
2016-07-15T17:41:21+0000    CZ9H5a4edILneDOzb4  10.252.28.186   59016   52.21.43.13 80  1   GET stats.pckeeper.com  /soft-data-stats?ltrt=0&security=1.1.1049.0&strt=17&accsvc=1.1.69.0&installer=1.1.957.8&affid=260.12068868.1468604394.20.mzb&compid=1ed49752-f0cd-4d3e-b198-c7fa76160527:S20GNYAG405071:&product_id=32&active=0 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   0   200 OK  -   -   -   (empty) -   -   -   -   -   -   1.1
2016-07-15T17:41:21+0000    CINDIb2yzVhOoqwsT   10.252.28.186   59020   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=FirstRun|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   (empty) -   -   -   -   -   F0dxod325Kz5hBgqt6  text/plain  -   -   1.1
2016-07-15T17:41:21+0000    CQilh22OiFTGsOatcg  10.252.28.186   59019   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=FirstRun&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   Fg8pXF4QeCEwGUax2g  text/plain  -   -   1.1
2016-07-15T17:41:22+0000    CQilh22OiFTGsOatcg  10.252.28.186   59019   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=stats&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001&mess={\x0d\x0a  "osVersion": "6.2.9200.0",\x0d\x0a  "softVersion": "1.1.1049.0"\x0d\x0a} -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  30  200 OK  -   -   -   (empty) -   -   -   -   -   FbY9n53iDcPddJ8oyi  text/plain  -   -   1.1
2016-07-15T17:41:22+0000    CINDIb2yzVhOoqwsT   10.252.28.186   59020   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanInitializing|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   Fpjl803sX9WZVPfZw4  text/plain  -   -   1.1
2016-07-15T17:41:22+0000    CQilh22OiFTGsOatcg  10.252.28.186   59019   23.22.68.216    80  3   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanInitialized|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FBfdk64kLGabyxg41f  text/plain  -   -   1.1
2016-07-15T17:41:22+0000    CQilh22OiFTGsOatcg  10.252.28.186   59019   23.22.68.216    80  4   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanProcessStarted|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   Fmeewd2hl1ZQR2aJsa  text/plain  -   -   1.1
2016-07-15T17:41:22+0000    CINDIb2yzVhOoqwsT   10.252.28.186   59020   23.22.68.216    80  3   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanThreadWaitOne|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   Fukxwy1lPS9mKM013j  text/plain  -   -   1.1
2016-07-15T17:41:07+0000    CHLb1U3zfXLWqWCTmb  10.252.28.186   58890   158.69.117.54   80  1   GET cdn-av.pckeeper.com /ocf/av/download-offline-base/files/ob_all.zip  -   -   0   46695810    200 OK  -   (empty) -   -   -   -   -   F3Htw92rlwF0XqWbN5  application/zip -   -   1.1
2016-07-15T17:41:40+0000    CrJYh63tzXjf8IkSxa  10.252.28.186   59023   205.251.215.170 80  1   GET cdn.pckeeper.com    /pckeeper/security/key/Essentware/HBEDV.ver -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   10  200 OK  -   -   -   (empty) -   -   -   -   -   FfMYfx2q8e2PdudqV   text/plain  1.1
2016-07-15T17:41:40+0000    CrJYh63tzXjf8IkSxa  10.252.28.186   59023   205.251.215.170 80  2   GET cdn.pckeeper.com    /pckeeper/security/key/Essentware/HBEDV.key -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   512 200 OK  -   -   -   (empty) -   -   -   -   -   FMT2uE4GFBvBp4oida  text/plain  1.1
2016-07-15T17:46:33+0000    CXRkZsFWLt1gvysg2   10.252.28.186   59391   52.3.131.11 80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AntivirusEngineInitializationTime_0_1_Min|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FAT6G6IJvXz27g001   text/plain  1.1
2016-07-15T17:46:34+0000    Cz1NgX1WKeuIQ0frT2  10.252.28.186   59393   52.3.131.11 80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=RTPON|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FDmJrG10L8EAD7tmyj  text/plain  -   -   1.1
2016-07-15T17:56:34+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanOnScanTimerEllapsed|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   FRQO1w40d2b2aEnkQj  text/plain  -   -   1.1
2016-07-15T17:56:34+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanAfter_UpdateStateAction|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FHocLM16GltfS7kGmb  text/plain  -   1.1
2016-07-15T17:56:34+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanBefore_UpdateStateAction|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   F39qAIMvQJMoS0xib   text/plain  -   1.1
2016-07-15T17:56:34+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  2   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScan_BeforeChecks|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   Fr74Nj4KI2IcBL5xp8  text/plain  -   -   1.1
2016-07-15T17:56:34+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  3   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScanStart|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FZLzuz3u17tklttXf   text/plain  -   -   1.1
2016-07-15T17:56:34+0000    CqhMvY1o9McEj3Juj1  10.252.28.186   60002   23.22.68.216    80  1   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=StartScanQueryOnService_SilentScan|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   Fn1i0A1flBR71raMl5  text/plain  -   1.1
2016-07-15T17:56:34+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  3   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=SilentScan_AfterChecks|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  (empty) -   -   -   -   -   Fnk8dOepAASDrK65g   text/plain  -   -   1.1
2016-07-15T17:56:34+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  4   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=StartScanLastEntryOnClient_SilentScan|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   FBzM1t4Y0gvJO5OcN1  text/plain  -   1.1
2016-07-15T17:57:27+0000    CkmvrU2B160GvENCHi  10.252.28.186   60056   70.38.27.158    80  1   GET crm.pckeeper.com    /chat/crm/action=history&room=121614479807357892406d807c8z3975  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  200 OK  -   -   -   (empty) -   -   -   -   -   FFwrGq1BJsxG0fdhgh  -   -   1.1
2016-07-15T17:57:27+0000    CmeOPe15mVAAkkqn93  10.252.28.186   60064   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   FHjgW3PjfJUARgHOa   -   -   -   1.1
2016-07-15T17:57:26+0000    CuPhV13XOuj6DAIdAg  10.252.28.186   60054   70.38.27.158    80  1   GET support.pckeeper.com    /chat/crm/action=connect?name=&email=&sid=1ed49752-f0cd-4d3e-b198-c7fa76160527:S20GNYAG405071:&issue=FindAndFix&source=PcKeeper&product=FindAndFixAV&affid=260.12068868.1468604394.20.mzb&lang=en&version=1.1.1049  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   401 200 OK  -   -   -   (empty) -   -   -   -   -   Fgnk4dNzAXuwkkjZ8   text/json   -   -   1.1
2016-07-15T17:57:28+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  4   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=LivechatConnectingToPersonalExpert|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   -   -   (empty) -   -   -   -   -   Fxy5EY3pfqyd7U2vFi  text/plain  -   1.1
2016-07-15T17:57:27+0000    COAgNHcVZBj1zv00c   10.252.28.186   60066   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   504 200 OK  -   -   -   (empty) -   -   -   -   -   FdumRn2vc4Vy0lZjdf  text/json   -   -   1.1
2016-07-15T17:57:28+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  5   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AVAlertRTPShow|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FSzYtR2xZ2ar9MpS88  text/plain  -   -   1.1
2016-07-15T17:57:28+0000    C9WPnb1YrM8QyQDw05  10.252.28.186   60076   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   427 200 OK  -   -   -   (empty) -   -   -   -   -   FSZboJuzEoXqQjIo8   text/json   -   -   1.1
2016-07-15T17:57:28+0000    CcjB5X3TjhCDgNJdpa  10.252.28.186   60078   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_AV_installed { Kaspersky Endpoint Security 10 for Windows, Windows Defender, PCKeeper Antivirus } -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  269 200 OK  -   -   -   (empty) -   -   -   -   -   FoYz0l4CuV3uPIKmZ5  text/json   -   -   1.1
2016-07-15T17:57:28+0000    CocNDd1BQ3Ym6LFGQ   10.252.28.186   60082   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_fullscan_running  PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   188 200 OK  -   -   -   (empty) -   -   -   FJ3U4l2Wlz4wiMRRUh  text/json   -   -   1.1
2016-07-15T17:57:28+0000    C988qp0pg42hv6Z5f   10.252.28.186   60070   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_chat_started {"automessage_data": ["0 Threat"]}   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   223 200 OK  -   -   (empty) -   -   -   -   -   F2EoH54ELQPOU8fnvh  text/json   -   -   1.1
2016-07-15T17:57:28+0000    CKgjys2Tp0rqpcdhth  10.252.28.186   60080   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   269 200 OK  -   -   -   (empty) -   -   -   -   -   Ffdgq612FI0KgUhXg7  text/json   -   -   1.1
2016-07-15T17:57:28+0000    CB3Fnn4OzP9g7L7clk  10.252.28.186   60084   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   188 200 OK  -   -   -   (empty) -   -   -   -   -   FT4I1p1tNW3geGlrC6  text/json   -   -   1.1
2016-07-15T17:57:28+0000    Cx71jd4mylFBvKJz64  10.252.28.186   60068   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=computerID:1ed49752-f0cd-4d3e-b198-c7fa76160527:S20GNYAG405071: trial:1 trt:17 OS:Microsoft Windows NT 6.2.9200.0 computer name:CSAN-29192 product version:1.1.1049 expiration:08/14/2016 10:41:07 activation:0 comptype:laptop country:United States cpu:Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz ram:7.88GB vga:Intel(R) HD Graphics 5500[1024MB]  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   504 200 OK  -   -   -   (empty) -   -   -   -   -   F1eUOn2SrlxePfJMG9  text/json   1.1
2016-07-15T17:57:28+0000    C62Zk93rS3Br9YzZdh  10.252.28.186   60072   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   223 200 OK  -   -   -   (empty) -   -   -   -   -   FyLYz54vNPvHYOWDze  text/json   -   -   1.1
2016-07-15T17:57:28+0000    CYpjUh1STjsh6ZE6qb  10.252.28.186   60074   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_buynow_link http://pckeeper.com/buy-now-av?app=true&affid=260.12068868.1468604394.20.mzb&bns=chat&compid=1ed49752-f0cd-4d3e-b198-c7fa76160527:S20GNYAG405071:&version=1.1.1049.0&bundleId=32_1049070001&x-crmproduct=FindAndFixAV -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  427 200 OK  -   -   -   (empty) -   -   -   -   -   FuMVyKuTuYLbDRdzb   text/json   -   -   1.1
2016-07-15T17:57:29+0000    C7qz5v3B82Z2IYjIYg  10.252.28.186   60088   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//scan_results_not_available -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   193 200 OK  -   -   -   (empty) -   FHoqaa4ZEHjXRUzPQe  text/json   -   -   1.1
2016-07-15T17:57:29+0000    CdURbMTU4Icca8Rnb   10.252.28.186   60090   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_laptop    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   178 200 OK  -   -   -   (empty) -   -   -   FHp2m13roRhoK4RzH1  text/json   -   -   1.1
2016-07-15T17:57:29+0000    CT4WcQ1seSR04Y0Wjh  10.252.28.186   60092   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   178 200 OK  -   -   -   (empty) -   -   -   -   -   FTMiW03wSPQplxsWm7  text/json   -   -   1.1
2016-07-15T17:57:29+0000    ChiH7R3oXN5PqeD9nf  10.252.28.186   60086   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   193 200 OK  -   -   -   (empty) -   -   -   -   -   FM20l84KdE2o4orr9j  text/json   -   -   1.1
2016-07-15T17:57:29+0000    CSUmZ53qohp8deTQdh  10.252.28.186   60096   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   206 200 OK  -   -   -   (empty) -   -   -   -   -   FdyQ6k1xTMeNUClSJc  text/json   -   -   1.1
2016-07-15T17:57:29+0000    CrobVX3LvAVlXgEIaa  10.252.28.186   60094   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_default_browser { Firefox 47.0.1 }    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   206 200 OK  -   -   -   (empty) -   -   -   -   -   FKmiry3qj58XBOW6l1  text/json   -   -   1.1
2016-07-15T17:57:29+0000    CmMIbh2pgvGFGfZyz   10.252.28.186   60100   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   187 200 OK  -   -   -   (empty) -   -   -   -   -   Fmx6RspHCO2Thpnwl   text/json   -   -   1.1
2016-07-15T17:57:29+0000    CPljyf2cUDjTd8Smz2  10.252.28.186   60098   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_rtp_alert_shown   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   187 200 OK  -   -   -   (empty) -   -   -   FU9kEVmlbSL9FNxse   text/json   -   -   1.1
2016-07-15T17:57:32+0000    CBroqb2y37xba17e6c  10.252.28.186   60104   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   Fz5iVE4xmTB7EGsmtf  -   -   -   1.1
2016-07-15T17:57:38+0000    CYjwNe2PxPtAgzgize  10.252.28.186   60108   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   FywxFrVs7CteskRO5   -   -   -   1.1
2016-07-15T17:57:43+0000    CuiHMcS7ZdCRU3dxl   10.252.28.186   60110   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   Fcvxv7s8MqIlTOyHh   -   -   -   1.1
2016-07-15T17:57:48+0000    CuMHY23dhKv7y9On33  10.252.28.186   60136   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   FWcE0E3CsUoV5q8S3j  -   -   -   1.1
2016-07-15T17:57:53+0000    CPn3AG1exxkIvJdNR4  10.252.28.186   60138   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   FaJV1GIhY41Oi3O84   -   -   -   1.1
2016-07-15T17:57:55+0000    C7WoffNwVKQZ2vJn6   10.252.28.186   60140   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_app_state { "active": true }  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   202 200 OK  -   -   -   (empty)FsOFI23z7cUwBmqPog   text/json   -   -   1.1
2016-07-15T17:57:29+0000    Cva2gB2LqUhefLYU18  10.252.28.186   60102   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   202 200 OK  -   -   -   (empty) -   -   -   -   -   FdNsjg2YenYRbxyUsk  text/json   -   -   1.1
2016-07-15T17:57:56+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  5   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AVAlertRTPDeleteClick|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001 -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FoKhIY2MuvUWnDiOAd  text/plain  -   -   1.1
2016-07-15T17:57:56+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  6   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AVPopupRTPShow|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FLKCCX2tshbd4gMzsb  text/plain  -   -   1.1
2016-07-15T17:57:56+0000    CNDhaP3JHXpJ6iJf2d  10.252.28.186   60144   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_threats_detected_popup_shown_1 {"automessage_data":["83 Threats"]}    -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   242 200 OK  -   -   -   (empty) -   -   -   -   -   F7drxoUePYjPJz7U8   text/json   -   1.1
2016-07-15T17:57:55+0000    CCDj5pz6Xdrh08wS7   10.252.28.186   60142   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   242 200 OK  -   -   -   (empty) -   -   -   -   -   F9TSv1nVenYeoJWJ1   text/json   -   -   1.1
2016-07-15T17:57:56+0000    Ciwyj025DCZsJWGkQ   10.252.28.186   60146   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_rtp_alert_clickedPCKAV (1.1.1049.0) 6.2.9200.0  x64   0   189 200 OK  -   -   -   (empty) -   -   -   FEiZlk1SbC6IeYuQMh  text/json   -   -   1.1
2016-07-15T17:57:56+0000    C24qXzN0auKVcTQP5   10.252.28.186   60148   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   189 200 OK  -   -   -   (empty) -   -   -   -   -   FRezH55y2Cn6nAZz5   text/json   -   -   1.1
2016-07-15T17:57:58+0000    CT7wYb3MaOc2KNL6P   10.252.28.186   60158   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   FHii7k1cPGiCRJdDvk  -   -   -   1.1
2016-07-15T17:58:00+0000    CqvYV64bF55bgEhil4  10.252.28.186   59999   23.22.68.216    80  7   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=AVPopupRTPClose|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   F7gg7A1ews2DR1Rjc8  text/plain  -   -   1.1
2016-07-15T17:58:00+0000    CjDYo1BDU2DjlnZ5f   10.252.28.186   60000   23.22.68.216    80  6   GET event.pckeeper.com  /event.php?step=PCKAVEventStat&mess=ActivationPopUpClose|VER_1.1.1049_VER&affid=260.12068868.1468604394.20.mzb&prodID=32&trt=17&bundleId=32_1049070001  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   30  200 OK  -   (empty) -   -   -   -   -   FVbnD91aKvHIwytpDl  text/plain  -   -   1.1
2016-07-15T17:58:00+0000    CDSWqj3irHJMqsirWl  10.252.28.186   60160   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_threats_detected_popup_closed_1   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   203 200 OK  -   -   -   (empty)FhnONr2Tq08s4itpY5   text/json   -   -   1.1
2016-07-15T17:57:56+0000    CNRW3M3mmUSTp5ttkb  10.252.28.186   60150   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   203 200 OK  -   -   -   (empty) -   -   -   -   -   FbKEqD1eDSQIVRTtL2  text/json   -   -   1.1
2016-07-15T17:58:02+0000    Ce3OVIQnDRkMPw71b   10.252.28.186   60166   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_app_state { "active": false } -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   203 200 OK  -   -   -   (empty)FdjKJs4gDGDxyxyDC3   text/json   -   -   1.1
2016-07-15T17:58:02+0000    CbZueS3A3KImOl0nJf  10.252.28.186   60168   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   203 200 OK  -   -   -   (empty) -   -   -   -   -   FPZ1KS7csskE1wtW9   text/json   -   -   1.1
2016-07-15T17:58:00+0000    C8Wysj2kLK8lu5L8G9  10.252.28.186   60162   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   189 200 OK  -   -   -   (empty) -   -   -   -   -   F8Szr6IFuMkaoqpJe   text/json   -   -   1.1
2016-07-15T17:58:02+0000    CAFuKA4WMiWHJGskT8  10.252.28.186   60164   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /post/57892406d55eb230124480/121614479807357892406d807c8z3975/?mestype=comment&message=//ffav_minimized_to_trayPCKAV (1.1.1049.0) 6.2.9200.0  x64   0   189 200 OK  -   -   -   (empty) -   -   -   Fc3uWHjCFs3gW4OW8   text/json   -   -   1.1
2016-07-15T17:58:04+0000    CqNQI74CNWUcsZhZfe  10.252.28.186   60176   70.38.27.158    80  1   GET support.pckeeper.com    /ping.html  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   6   200 OK  -   -   (empty) -   -   -   -   -   Fr7K9y4EqqRQMS0Wf7  -   -   -   1.1
2016-07-15T17:58:07+0000    CCwDEzVI9xQv5lId7   10.252.28.186   60180   52.20.201.154   80  1   POST    av.pckeeper.com /ocf/index/scansubmit-vt?affid=260.12068868.1468604394.20.mzb   -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  5009    200 OK  -   -   -   (empty) -   -   -   Fh5vPVpFLcILoB1K9   application/x-gzip  F1ftnSFEAkmF15Z83   -   -   -   1.1
2016-07-15T17:58:02+0000    Cis17s2TFil6cTymlj  10.252.28.186   60170   54.164.215.45   80  1   GET chat-crm.pckeeper.com   /listen/121614479807357892406d807c8z3975/?client-id=57892406d55eb230124480  -   PCKAV (1.1.1049.0) 6.2.9200.0  x64  0   170 200 OK  -   -   -   (empty) -   -   -   -   -   FNxUZW3ZCDm5pmIrBd  text/json   -   -   1.1
                        
                    
Infection confirmed End User Services unleashed

The power of context

We have this piece of intel

Saying "this intel" in public rocks

What else we are we hunting for?

With Suricata. And Why

CnC - insane detection capabilities, tons of rules

2016-07-15T17:57:58+0000 CT7wYb3MaOc2KNL6P 10.252.28.186 60158 70.38.27.158 80 1 GET support.pckeeper.com /ping.html - PCKAV (1.1.1049.0) 6.2.9200.0 x64 0 6 200 OK - - (empty) - - - - - FHii7k1cPGiCRJdDvk - - - 1.1

Interesting User-Agents

alert http any any -> any any (msg:"SURICATA NetSession in http_user_agent"; content:"NetSession"; http_user_agent; sid:2500024; rev:1;)

Interesting DNS queries


alert udp any any -> any 53 (msg:"SURICATA DNS Query to a Suspicious *.ws Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ws|00|"; nocase; sid:2500003; rev:1;)
                    

alert http any any -> any any (msg:"SURICATA HTTP Request to a Suspicious *.to Domain"; flow:established,to_server; content:".to"; http_host; isdataat:!1,relative; sid:2500006; rev:1;)
                    

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPICIOUS SSL Cert for DNSDYNAMIC.ORG domain mysq1.net"; flow:established,from_server; content:"|55 04 03|"; byte_jump:1,1,relative; content:".mysq1.net"; fast_pattern; distance:-10; within:10; sid:10120032; rev:1; classtype:misc-activity;)
                    

Spoofed SSL certificates


alert tls any any -> any any (msg:"SURICATA SSL Gmail certificate not issued by Google"; tls.subject:"C=US, ST=California, L=Mountain View, O=Google Inc, CN=mail.google.com"; tls.issuerdn:!"C=US, O=Google Inc, CN=Google Internet Authority G2"; sid:2500014; rev:1;)
                    
                        
alert tls any any -> any any (msg:"SURICATA SSL Google certificate not issued by Google"; tls.subject:"C=US, ST=California, L=Mountain View, O=Google Inc, CN=google.com"; tls.issuerdn:!"C=US, O=Google Inc, CN=Google Internet Authority G2"; sid:2500015; rev:1;)
                        
                

Private and public keys in clear


alert http any any -> any any (msg:"SURICATA FILE plaintext PEM RSA private key"; filemagic:"PEM RSA private key"; sid:2500017; rev:1;)
                    
                        
alert http any any -> any any (msg:"SURICATA FILE plaintext OpenSSH RSA1 private key"; filemagic:"OpenSSH RSA1 private key"; sid:2500023; rev:1;)
                        
                

Known cleartext malicious communication - think DFIR


alert udp any any -> any 53,1024 (msg:"example_message"; flow:to_server; content:"alamakota|3A|somethinghere"; threshold: type limit, track by_src, seconds 1, count 1; sid:2700000; rev:1;)
                    

Protocol anomalies


alert tcp any any -> any 80 (msg:"SURICATA non-HTTP on TCP port 80"; flow:to_server; app-layer-protocol:!http; threshold: type limit, track by_src, seconds 60, count 1; sid:2271002; rev:1;)
                    


alert tcp any any -> any 53 (msg:"SURICATA non-DNS-TCP on TCP port 53"; flow:to_server; app-layer-protocol:!dns; threshold: type limit, track by_src, seconds 60, count 1; sid:2271016; rev:1;)
                    

Two kinds of rules

X on non-X port

not-X on X-port

Takeaways

Impossible to investigate every single match

Impossible to tune your ruleset so you only have 8h * 60m = 480 matches per day (a match per minute)

Steps to happiness

Step 1 - Hunt for hosts that triggered interesting rules

Step 2 - For each host, fetch context, see what other rules have been triggered

Step 3 - Verify source/destination IP/hostnames with intelligence

Step 4 - Still unsure? Search for a malware name to find correlated IP/DNS, URL, etc

Step 5 - look for them in Bro/eve logs

Developer looking at production logs after a regression with downtime. Oil canvas, circa 1580

Overheard: looks like Michal

https://github.com/michalpurzynski @MichalPurzynski