mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro
Thanks! I've tweaked this a bit further, have a look. BIT-1613 #merged
This commit is contained in:
Robin Sommer
commit
d59bb2e9d1
22 changed files with 1828 additions and 452 deletions
|
|
@ -329,6 +329,8 @@ type endpoint: record {
|
||||||
## The current IPv6 flow label that the connection endpoint is using.
|
## The current IPv6 flow label that the connection endpoint is using.
|
||||||
## Always 0 if the connection is over IPv4.
|
## Always 0 if the connection is over IPv4.
|
||||||
flow_label: count;
|
flow_label: count;
|
||||||
|
## The link-layer address seen in the first packet (if available).
|
||||||
|
l2_addr: string &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
## A connection. This is Bro's basic connection type describing IP- and
|
## A connection. This is Bro's basic connection type describing IP- and
|
||||||
|
|
@ -370,14 +372,6 @@ type connection: record {
|
||||||
|
|
||||||
## The inner VLAN, if applicable for this connection.
|
## The inner VLAN, if applicable for this connection.
|
||||||
inner_vlan: int &optional;
|
inner_vlan: int &optional;
|
||||||
|
|
||||||
## The Ethernet MAC source addrees, if applicable for this connection.
|
|
||||||
## The address is derived from the connection's first packet.
|
|
||||||
eth_src: string &optional;
|
|
||||||
|
|
||||||
## The destination Ethernet MAC addrees, if applicable for this connection.
|
|
||||||
## The address is derived from the connection's first packet.
|
|
||||||
eth_dst: string &optional;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
## Default amount of time a file can be inactive before the file analysis
|
## Default amount of time a file can be inactive before the file analysis
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,24 @@
|
||||||
##! This script adds MAC address information to the connection logs.
|
##! This script adds link-layer address (MAC) information to the connection logs
|
||||||
|
|
||||||
@load base/protocols/conn
|
@load base/protocols/conn
|
||||||
|
|
||||||
module Conn;
|
module Conn;
|
||||||
|
|
||||||
redef record Info += {
|
redef record Info += {
|
||||||
## The Ethernet MAC source address for this connection, if applicable.
|
## Link-layer address of the originator, if available.
|
||||||
eth_src: string &log &optional;
|
orig_l2_addr: string &log &optional;
|
||||||
|
## Link-layer address of the responder, if available.
|
||||||
## The Ethernet MAC destination address for this connection, if applicable.
|
resp_l2_addr: string &log &optional;
|
||||||
eth_dst: string &log &optional;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Add the link-layer addresses to the Conn::Info structure after the connection
|
||||||
|
# has been removed. This ensures it's only done once, and is done before the
|
||||||
|
# connection information is written to the log.
|
||||||
event connection_state_remove(c: connection)
|
event connection_state_remove(c: connection)
|
||||||
{
|
{
|
||||||
if ( c?$eth_src )
|
if ( c$orig?$l2_addr )
|
||||||
c$conn$eth_src = c$eth_src;
|
c$conn$orig_l2_addr = c$orig$l2_addr;
|
||||||
|
|
||||||
if ( c?$eth_dst )
|
if ( c$resp?$l2_addr )
|
||||||
c$conn$eth_dst = c$eth_dst;
|
c$conn$resp_l2_addr = c$resp$l2_addr;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -88,3 +88,7 @@
|
||||||
# Uncomment the following line to enable logging of connection VLANs. Enabling
|
# Uncomment the following line to enable logging of connection VLANs. Enabling
|
||||||
# this adds two VLAN fields to the conn.log file.
|
# this adds two VLAN fields to the conn.log file.
|
||||||
# @load policy/protocols/conn/vlan-logging
|
# @load policy/protocols/conn/vlan-logging
|
||||||
|
|
||||||
|
# Uncomment the following line to enable logging of link-layer addresses. Enabling
|
||||||
|
# this adds the link-layer address for each connection endpoint to the conn.log file.
|
||||||
|
# @load policy/protocols/conn/mac-logging
|
||||||
|
|
|
||||||
40
src/Conn.cc
40
src/Conn.cc
|
|
@ -132,10 +132,18 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
|
||||||
saw_first_orig_packet = 1;
|
saw_first_orig_packet = 1;
|
||||||
saw_first_resp_packet = 0;
|
saw_first_resp_packet = 0;
|
||||||
|
|
||||||
|
if ( pkt->l2_src )
|
||||||
|
memcpy(orig_l2_addr, pkt->l2_src, sizeof(orig_l2_addr));
|
||||||
|
else
|
||||||
|
bzero(orig_l2_addr, sizeof(orig_l2_addr));
|
||||||
|
|
||||||
|
if ( pkt->l2_dst )
|
||||||
|
memcpy(resp_l2_addr, pkt->l2_dst, sizeof(resp_l2_addr));
|
||||||
|
else
|
||||||
|
bzero(resp_l2_addr, sizeof(resp_l2_addr));
|
||||||
|
|
||||||
vlan = pkt->vlan;
|
vlan = pkt->vlan;
|
||||||
inner_vlan = pkt->inner_vlan;
|
inner_vlan = pkt->inner_vlan;
|
||||||
memcpy(ð_src, pkt->eth_src, sizeof(eth_src));
|
|
||||||
memcpy(ð_dst, pkt->eth_dst, sizeof(eth_dst));
|
|
||||||
|
|
||||||
conn_val = 0;
|
conn_val = 0;
|
||||||
login_conn = 0;
|
login_conn = 0;
|
||||||
|
|
@ -365,11 +373,20 @@ RecordVal* Connection::BuildConnVal()
|
||||||
orig_endp->Assign(1, new Val(0, TYPE_COUNT));
|
orig_endp->Assign(1, new Val(0, TYPE_COUNT));
|
||||||
orig_endp->Assign(4, new Val(orig_flow_label, TYPE_COUNT));
|
orig_endp->Assign(4, new Val(orig_flow_label, TYPE_COUNT));
|
||||||
|
|
||||||
|
const int l2_len = sizeof(orig_l2_addr);
|
||||||
|
char null[l2_len]{};
|
||||||
|
|
||||||
|
if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 )
|
||||||
|
orig_endp->Assign(5, new StringVal(fmt_mac(orig_l2_addr, l2_len)));
|
||||||
|
|
||||||
RecordVal *resp_endp = new RecordVal(endpoint);
|
RecordVal *resp_endp = new RecordVal(endpoint);
|
||||||
resp_endp->Assign(0, new Val(0, TYPE_COUNT));
|
resp_endp->Assign(0, new Val(0, TYPE_COUNT));
|
||||||
resp_endp->Assign(1, new Val(0, TYPE_COUNT));
|
resp_endp->Assign(1, new Val(0, TYPE_COUNT));
|
||||||
resp_endp->Assign(4, new Val(resp_flow_label, TYPE_COUNT));
|
resp_endp->Assign(4, new Val(resp_flow_label, TYPE_COUNT));
|
||||||
|
|
||||||
|
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
|
||||||
|
resp_endp->Assign(5, new StringVal(fmt_mac(resp_l2_addr, l2_len)));
|
||||||
|
|
||||||
conn_val->Assign(0, id_val);
|
conn_val->Assign(0, id_val);
|
||||||
conn_val->Assign(1, orig_endp);
|
conn_val->Assign(1, orig_endp);
|
||||||
conn_val->Assign(2, resp_endp);
|
conn_val->Assign(2, resp_endp);
|
||||||
|
|
@ -391,19 +408,6 @@ RecordVal* Connection::BuildConnVal()
|
||||||
if ( inner_vlan != 0 )
|
if ( inner_vlan != 0 )
|
||||||
conn_val->Assign(10, new Val(inner_vlan, TYPE_INT));
|
conn_val->Assign(10, new Val(inner_vlan, TYPE_INT));
|
||||||
|
|
||||||
char null[sizeof(eth_src)]{};
|
|
||||||
|
|
||||||
if ( memcmp(ð_src, &null, sizeof(eth_src)) != 0 )
|
|
||||||
{
|
|
||||||
char* eaddr = ether_ntoa(ð_src);
|
|
||||||
conn_val->Assign(11, new StringVal(eaddr));
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( memcmp(ð_dst, &null, sizeof(eth_dst)) != 0 )
|
|
||||||
{
|
|
||||||
char* eaddr = ether_ntoa(ð_dst);
|
|
||||||
conn_val->Assign(12, new StringVal(eaddr));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( root_analyzer )
|
if ( root_analyzer )
|
||||||
|
|
@ -748,6 +752,12 @@ void Connection::FlipRoles()
|
||||||
resp_port = orig_port;
|
resp_port = orig_port;
|
||||||
orig_port = tmp_port;
|
orig_port = tmp_port;
|
||||||
|
|
||||||
|
const int l2_len = sizeof(orig_l2_addr);
|
||||||
|
u_char tmp_l2_addr[l2_len];
|
||||||
|
memcpy(tmp_l2_addr, resp_l2_addr, l2_len);
|
||||||
|
memcpy(resp_l2_addr, orig_l2_addr, l2_len);
|
||||||
|
memcpy(orig_l2_addr, tmp_l2_addr, l2_len);
|
||||||
|
|
||||||
bool tmp_bool = saw_first_resp_packet;
|
bool tmp_bool = saw_first_resp_packet;
|
||||||
saw_first_resp_packet = saw_first_orig_packet;
|
saw_first_resp_packet = saw_first_orig_packet;
|
||||||
saw_first_orig_packet = tmp_bool;
|
saw_first_orig_packet = tmp_bool;
|
||||||
|
|
|
||||||
12
src/Conn.h
12
src/Conn.h
|
|
@ -3,15 +3,6 @@
|
||||||
#ifndef conn_h
|
#ifndef conn_h
|
||||||
#define conn_h
|
#define conn_h
|
||||||
|
|
||||||
#include "bro-config.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#ifdef HAVE_NETINET_ETHER_H
|
|
||||||
#include <netinet/ether.h>
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_NET_ETHERNET_H
|
|
||||||
#include <net/ethernet.h>
|
|
||||||
#endif
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include "Dict.h"
|
#include "Dict.h"
|
||||||
|
|
@ -305,7 +296,8 @@ protected:
|
||||||
TransportProto proto;
|
TransportProto proto;
|
||||||
uint32 orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
|
uint32 orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
|
||||||
uint32 vlan, inner_vlan; // VLAN this connection traverses, if available
|
uint32 vlan, inner_vlan; // VLAN this connection traverses, if available
|
||||||
ether_addr eth_src, eth_dst; // Ethernet MAC addresses, if available
|
u_char orig_l2_addr[Packet::l2_addr_len]; // Link-layer originator address, if available
|
||||||
|
u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available
|
||||||
double start_time, last_time;
|
double start_time, last_time;
|
||||||
double inactivity_timeout;
|
double inactivity_timeout;
|
||||||
RecordVal* conn_val;
|
RecordVal* conn_val;
|
||||||
|
|
|
||||||
|
|
@ -44,8 +44,8 @@ void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen,
|
||||||
eth_type = 0;
|
eth_type = 0;
|
||||||
vlan = 0;
|
vlan = 0;
|
||||||
inner_vlan = 0;
|
inner_vlan = 0;
|
||||||
bzero(eth_src, sizeof(eth_src));
|
l2_src = 0;
|
||||||
bzero(eth_dst, sizeof(eth_dst));
|
l2_dst = 0;
|
||||||
|
|
||||||
l2_valid = false;
|
l2_valid = false;
|
||||||
|
|
||||||
|
|
@ -140,8 +140,8 @@ void Packet::ProcessLayer2()
|
||||||
int protocol = (pdata[12] << 8) + pdata[13];
|
int protocol = (pdata[12] << 8) + pdata[13];
|
||||||
|
|
||||||
eth_type = protocol;
|
eth_type = protocol;
|
||||||
memcpy(eth_dst, pdata, 6);
|
l2_dst = pdata;
|
||||||
memcpy(eth_src, pdata + 6, 6);
|
l2_src = pdata + 6;
|
||||||
|
|
||||||
pdata += GetLinkHeaderSize(link_type);
|
pdata += GetLinkHeaderSize(link_type);
|
||||||
|
|
||||||
|
|
@ -276,14 +276,17 @@ void Packet::ProcessLayer2()
|
||||||
}
|
}
|
||||||
pdata += rtheader_len;
|
pdata += rtheader_len;
|
||||||
|
|
||||||
|
u_char len_80211 = 0;
|
||||||
int type_80211 = pdata[0];
|
int type_80211 = pdata[0];
|
||||||
int len_80211 = 0;
|
|
||||||
if ( (type_80211 >> 4) & 0x04 )
|
if ( (type_80211 >> 4) & 0x04 )
|
||||||
{
|
{
|
||||||
//identified a null frame (we ignore for now). no weird.
|
//identified a null frame (we ignore for now). no weird.
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Look for the QoS indicator bit.
|
// Look for the QoS indicator bit.
|
||||||
|
|
||||||
if ( (type_80211 >> 4) & 0x08 )
|
if ( (type_80211 >> 4) & 0x08 )
|
||||||
len_80211 = 26;
|
len_80211 = 26;
|
||||||
else
|
else
|
||||||
|
|
@ -294,6 +297,35 @@ void Packet::ProcessLayer2()
|
||||||
Weird("truncated_radiotap_header");
|
Weird("truncated_radiotap_header");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Look for data frames
|
||||||
|
if ( type_80211 & 0x08 )
|
||||||
|
{
|
||||||
|
// Determine link-layer addresses based
|
||||||
|
// on 'To DS' and 'From DS' flags
|
||||||
|
switch ( pdata[1] & 0x03 ) {
|
||||||
|
case 0x00:
|
||||||
|
l2_dst = pdata + 4;
|
||||||
|
l2_src = pdata + 10;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 0x01:
|
||||||
|
l2_dst = pdata + 16;
|
||||||
|
l2_src = pdata + 10;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 0x02:
|
||||||
|
l2_dst = pdata + 4;
|
||||||
|
l2_src = pdata + 16;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 0x03:
|
||||||
|
l2_dst = pdata + 16;
|
||||||
|
l2_src = pdata + 24;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// skip 802.11 data header
|
// skip 802.11 data header
|
||||||
pdata += len_80211;
|
pdata += len_80211;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,6 @@
|
||||||
#ifndef packet_h
|
#ifndef packet_h
|
||||||
#define packet_h
|
#define packet_h
|
||||||
|
|
||||||
#include "bro-config.h"
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#ifdef HAVE_NET_ETHERNET_H
|
|
||||||
#include <net/ethernet.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "Desc.h"
|
#include "Desc.h"
|
||||||
#include "IP.h"
|
#include "IP.h"
|
||||||
#include "NetVar.h"
|
#include "NetVar.h"
|
||||||
|
|
@ -58,7 +51,7 @@ public:
|
||||||
Packet(int link_type, struct timeval *ts, uint32 caplen,
|
Packet(int link_type, struct timeval *ts, uint32 caplen,
|
||||||
uint32 len, const u_char *data, int copy = false,
|
uint32 len, const u_char *data, int copy = false,
|
||||||
std::string tag = std::string(""))
|
std::string tag = std::string(""))
|
||||||
: data(0), eth_src(), eth_dst()
|
: data(0), l2_src(0), l2_dst(0)
|
||||||
{
|
{
|
||||||
Init(link_type, ts, caplen, len, data, copy, tag);
|
Init(link_type, ts, caplen, len, data, copy, tag);
|
||||||
}
|
}
|
||||||
|
|
@ -66,7 +59,7 @@ public:
|
||||||
/**
|
/**
|
||||||
* Default constructor. For internal use only.
|
* Default constructor. For internal use only.
|
||||||
*/
|
*/
|
||||||
Packet() : data(0), eth_src(), eth_dst()
|
Packet() : data(0), l2_src(0), l2_dst(0)
|
||||||
{
|
{
|
||||||
struct timeval ts = {0, 0};
|
struct timeval ts = {0, 0};
|
||||||
Init(0, &ts, 0, 0, 0);
|
Init(0, &ts, 0, 0, 0);
|
||||||
|
|
@ -154,6 +147,11 @@ public:
|
||||||
*/
|
*/
|
||||||
static Packet* Unserialize(UnserialInfo* info);
|
static Packet* Unserialize(UnserialInfo* info);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Maximal length of a layer 2 address.
|
||||||
|
*/
|
||||||
|
static const int l2_addr_len = 6;
|
||||||
|
|
||||||
// These are passed in through the constructor.
|
// These are passed in through the constructor.
|
||||||
std::string tag; /// Used in serialization
|
std::string tag; /// Used in serialization
|
||||||
double time; /// Timestamp reconstituted as float
|
double time; /// Timestamp reconstituted as float
|
||||||
|
|
@ -184,16 +182,15 @@ public:
|
||||||
uint32 eth_type;
|
uint32 eth_type;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If layer 2 is Ethernet, the source MAC address. Valid iff
|
* Layer 2 source address. Valid iff Layer2Valid() returns true.
|
||||||
* Layer2Valid() returns true.
|
|
||||||
*/
|
*/
|
||||||
ether_addr eth_src[6];
|
const u_char* l2_src;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If layer 2 is Ethernet, the destiantion MAC address. Valid iff
|
* Layer 2 destination address. Valid iff Layer2Valid() returns
|
||||||
* Layer2Valid() returns true.
|
* true.
|
||||||
*/
|
*/
|
||||||
ether_addr eth_dst[6];
|
const u_char* l2_dst;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
|
* (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
|
||||||
|
|
|
||||||
|
|
@ -152,13 +152,13 @@ char* fmt_mac(const unsigned char* m, int len)
|
||||||
{
|
{
|
||||||
char* buf = new char[25];
|
char* buf = new char[25];
|
||||||
|
|
||||||
if ( len < 8 )
|
if ( len < 8 && len != 6 )
|
||||||
{
|
{
|
||||||
*buf = '\0';
|
*buf = '\0';
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( m[6] == 0 && m[7] == 0 ) // EUI-48
|
if ( (len == 6) || (m[6] == 0 && m[7] == 0) ) // EUI-48
|
||||||
snprintf(buf, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
|
snprintf(buf, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
|
||||||
m[0], m[1], m[2], m[3], m[4], m[5]);
|
m[0], m[1], m[2], m[3], m[4], m[5]);
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -1,36 +1,36 @@
|
||||||
0:30:48:bd:3e:c4, 1:0:5e:0:0:fb
|
00:30:48:bd:3e:c4, 01:00:5e:00:00:fb
|
||||||
0:17:f2:d7:cf:65, 33:33:0:0:0:fb
|
00:17:f2:d7:cf:65, 33:33:00:00:00:fb
|
||||||
0:17:f2:d7:cf:65, 1:0:5e:0:0:fb
|
00:17:f2:d7:cf:65, 01:00:5e:00:00:fb
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:24:7e:e0:1d:b5, 0:13:7f:be:8c:ff
|
00:24:7e:e0:1d:b5, 00:13:7f:be:8c:ff
|
||||||
0:13:7f:be:8c:ff, 0:e0:db:1:cf:4b
|
00:13:7f:be:8c:ff, 00:e0:db:01:cf:4b
|
||||||
0:16:76:23:d9:e3, 1:0:5e:0:0:fb
|
00:16:76:23:d9:e3, 01:00:5e:00:00:fb
|
||||||
f0:4d:a2:47:ba:25, ff:ff:ff:ff:ff:ff
|
f0:4d:a2:47:ba:25, ff:ff:ff:ff:ff:ff
|
||||||
f0:4d:a2:47:ba:25, 33:33:0:1:0:3
|
f0:4d:a2:47:ba:25, 33:33:00:01:00:03
|
||||||
f0:4d:a2:47:ba:25, 1:0:5e:0:0:fc
|
f0:4d:a2:47:ba:25, 01:00:5e:00:00:fc
|
||||||
f0:4d:a2:47:ba:25, 33:33:0:1:0:3
|
f0:4d:a2:47:ba:25, 33:33:00:01:00:03
|
||||||
f0:4d:a2:47:ba:25, 1:0:5e:0:0:fc
|
f0:4d:a2:47:ba:25, 01:00:5e:00:00:fc
|
||||||
0:23:32:b6:c:46, ff:ff:ff:ff:ff:ff
|
00:23:32:b6:0c:46, ff:ff:ff:ff:ff:ff
|
||||||
-, -
|
90:72:40:97:b6:f5, 44:2b:03:aa:ab:8d
|
||||||
-, -
|
a4:67:06:f7:ec:54, 33:33:00:00:00:fb
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,2 @@
|
||||||
[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0]
|
[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:1f:aa:34:18:bc]
|
||||||
[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0]
|
[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0, l2_addr=c4:71:fe:3a:5d:c2]
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
[orig_h=1.2.0.2, orig_p=2527/tcp, resp_h=1.2.0.3, resp_p=6649/tcp]
|
[orig_h=1.2.0.2, orig_p=2527/tcp, resp_h=1.2.0.3, resp_p=6649/tcp]
|
||||||
orig:, [size=175, state=1, num_pkts=4, num_bytes_ip=395, flow_label=0]
|
orig:, [size=175, state=1, num_pkts=4, num_bytes_ip=395, flow_label=0, l2_addr=00:15:17:0b:7c:61]
|
||||||
resp:, [size=0, state=6, num_pkts=5, num_bytes_ip=236, flow_label=0]
|
resp:, [size=0, state=6, num_pkts=5, num_bytes_ip=236, flow_label=0, l2_addr=00:00:00:00:00:04]
|
||||||
|
|
|
||||||
|
|
@ -5,9 +5,9 @@
|
||||||
:emphasize-lines: 1,1
|
:emphasize-lines: 1,1
|
||||||
|
|
||||||
# bro -b -r http/get.trace connection_record_01.bro
|
# bro -b -r http/get.trace connection_record_01.bro
|
||||||
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
|
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
|
||||||
|
|
||||||
}, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
}, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
||||||
|
|
||||||
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
|
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,9 +5,9 @@
|
||||||
:emphasize-lines: 1,1
|
:emphasize-lines: 1,1
|
||||||
|
|
||||||
# bro -b -r http/get.trace connection_record_02.bro
|
# bro -b -r http/get.trace connection_record_02.bro
|
||||||
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
|
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
|
||||||
|
|
||||||
}, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
}, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
||||||
|
|
||||||
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
|
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -238,7 +238,7 @@
|
||||||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
|
||||||
|
|
@ -359,7 +359,7 @@
|
||||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
|
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(NetControl::init, <null>, ()) -> <no result>
|
0.000000 MetaHookPost CallFunction(NetControl::init, <null>, ()) -> <no result>
|
||||||
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
|
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
|
||||||
|
|
@ -895,7 +895,7 @@
|
||||||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T]))
|
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
|
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
|
||||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
|
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
|
||||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
|
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
|
||||||
|
|
@ -1016,7 +1016,7 @@
|
||||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
||||||
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T]))
|
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||||
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, <frame>, ())
|
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, <frame>, ())
|
||||||
0.000000 MetaHookPre CallFunction(NetControl::init, <null>, ())
|
0.000000 MetaHookPre CallFunction(NetControl::init, <null>, ())
|
||||||
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
|
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
|
||||||
|
|
@ -1551,7 +1551,7 @@
|
||||||
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
||||||
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
||||||
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
||||||
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T])
|
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T])
|
||||||
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
|
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
|
||||||
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
|
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
|
||||||
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
|
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
|
||||||
|
|
@ -1672,7 +1672,7 @@
|
||||||
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
||||||
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
||||||
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
||||||
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1464554162.183391, node=bro, filter=ip or not ip, init=T, success=T])
|
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1464817397.31039, node=bro, filter=ip or not ip, init=T, success=T])
|
||||||
0.000000 | HookCallFunction NetControl::check_plugins()
|
0.000000 | HookCallFunction NetControl::check_plugins()
|
||||||
0.000000 | HookCallFunction NetControl::init()
|
0.000000 | HookCallFunction NetControl::init()
|
||||||
0.000000 | HookCallFunction Notice::want_pp()
|
0.000000 | HookCallFunction Notice::want_pp()
|
||||||
|
|
@ -1721,22 +1721,22 @@
|
||||||
1362692526.869344 MetaHookPost CallFunction(NetControl::check_conn, <frame>, (141.142.228.5)) -> <no result>
|
1362692526.869344 MetaHookPost CallFunction(NetControl::check_conn, <frame>, (141.142.228.5)) -> <no result>
|
||||||
1362692526.869344 MetaHookPost CallFunction(filter_change_tracking, <null>, ()) -> <no result>
|
1362692526.869344 MetaHookPost CallFunction(filter_change_tracking, <null>, ()) -> <no result>
|
||||||
1362692526.869344 MetaHookPost CallFunction(get_net_stats, <frame>, ()) -> <no result>
|
1362692526.869344 MetaHookPost CallFunction(get_net_stats, <frame>, ()) -> <no result>
|
||||||
1362692526.869344 MetaHookPost CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
1362692526.869344 MetaHookPost CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||||
1362692526.869344 MetaHookPost DrainEvents() -> <void>
|
1362692526.869344 MetaHookPost DrainEvents() -> <void>
|
||||||
1362692526.869344 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false
|
1362692526.869344 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false
|
||||||
1362692526.869344 MetaHookPost QueueEvent(filter_change_tracking()) -> false
|
1362692526.869344 MetaHookPost QueueEvent(filter_change_tracking()) -> false
|
||||||
1362692526.869344 MetaHookPost QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
|
1362692526.869344 MetaHookPost QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
|
||||||
1362692526.869344 MetaHookPost UpdateNetworkTime(1362692526.869344) -> <void>
|
1362692526.869344 MetaHookPost UpdateNetworkTime(1362692526.869344) -> <void>
|
||||||
1362692526.869344 MetaHookPre BroObjDtor(<void ptr>)
|
1362692526.869344 MetaHookPre BroObjDtor(<void ptr>)
|
||||||
1362692526.869344 MetaHookPre CallFunction(ChecksumOffloading::check, <null>, ())
|
1362692526.869344 MetaHookPre CallFunction(ChecksumOffloading::check, <null>, ())
|
||||||
1362692526.869344 MetaHookPre CallFunction(NetControl::check_conn, <frame>, (141.142.228.5))
|
1362692526.869344 MetaHookPre CallFunction(NetControl::check_conn, <frame>, (141.142.228.5))
|
||||||
1362692526.869344 MetaHookPre CallFunction(filter_change_tracking, <null>, ())
|
1362692526.869344 MetaHookPre CallFunction(filter_change_tracking, <null>, ())
|
||||||
1362692526.869344 MetaHookPre CallFunction(get_net_stats, <frame>, ())
|
1362692526.869344 MetaHookPre CallFunction(get_net_stats, <frame>, ())
|
||||||
1362692526.869344 MetaHookPre CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
1362692526.869344 MetaHookPre CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||||
1362692526.869344 MetaHookPre DrainEvents()
|
1362692526.869344 MetaHookPre DrainEvents()
|
||||||
1362692526.869344 MetaHookPre QueueEvent(ChecksumOffloading::check())
|
1362692526.869344 MetaHookPre QueueEvent(ChecksumOffloading::check())
|
||||||
1362692526.869344 MetaHookPre QueueEvent(filter_change_tracking())
|
1362692526.869344 MetaHookPre QueueEvent(filter_change_tracking())
|
||||||
1362692526.869344 MetaHookPre QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
1362692526.869344 MetaHookPre QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||||
1362692526.869344 MetaHookPre UpdateNetworkTime(1362692526.869344)
|
1362692526.869344 MetaHookPre UpdateNetworkTime(1362692526.869344)
|
||||||
1362692526.869344 | HookBroObjDtor
|
1362692526.869344 | HookBroObjDtor
|
||||||
1362692526.869344 | HookUpdateNetworkTime 1362692526.869344
|
1362692526.869344 | HookUpdateNetworkTime 1362692526.869344
|
||||||
|
|
@ -1744,24 +1744,24 @@
|
||||||
1362692526.869344 | HookCallFunction NetControl::check_conn(141.142.228.5)
|
1362692526.869344 | HookCallFunction NetControl::check_conn(141.142.228.5)
|
||||||
1362692526.869344 | HookCallFunction filter_change_tracking()
|
1362692526.869344 | HookCallFunction filter_change_tracking()
|
||||||
1362692526.869344 | HookCallFunction get_net_stats()
|
1362692526.869344 | HookCallFunction get_net_stats()
|
||||||
1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||||
1362692526.869344 | HookDrainEvents
|
1362692526.869344 | HookDrainEvents
|
||||||
1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
|
1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
|
||||||
1362692526.869344 | HookQueueEvent filter_change_tracking()
|
1362692526.869344 | HookQueueEvent filter_change_tracking()
|
||||||
1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||||
1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
|
1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
|
||||||
1362692526.939084 MetaHookPost CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
1362692526.939084 MetaHookPost CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||||
1362692526.939084 MetaHookPost DrainEvents() -> <void>
|
1362692526.939084 MetaHookPost DrainEvents() -> <void>
|
||||||
1362692526.939084 MetaHookPost QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
|
1362692526.939084 MetaHookPost QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
|
||||||
1362692526.939084 MetaHookPost UpdateNetworkTime(1362692526.939084) -> <void>
|
1362692526.939084 MetaHookPost UpdateNetworkTime(1362692526.939084) -> <void>
|
||||||
1362692526.939084 MetaHookPre CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
1362692526.939084 MetaHookPre CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||||
1362692526.939084 MetaHookPre DrainEvents()
|
1362692526.939084 MetaHookPre DrainEvents()
|
||||||
1362692526.939084 MetaHookPre QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
1362692526.939084 MetaHookPre QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||||
1362692526.939084 MetaHookPre UpdateNetworkTime(1362692526.939084)
|
1362692526.939084 MetaHookPre UpdateNetworkTime(1362692526.939084)
|
||||||
1362692526.939084 | HookUpdateNetworkTime 1362692526.939084
|
1362692526.939084 | HookUpdateNetworkTime 1362692526.939084
|
||||||
1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||||
1362692526.939084 | HookDrainEvents
|
1362692526.939084 | HookDrainEvents
|
||||||
1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||||
1362692526.939378 MetaHookPost DrainEvents() -> <void>
|
1362692526.939378 MetaHookPost DrainEvents() -> <void>
|
||||||
1362692526.939378 MetaHookPost UpdateNetworkTime(1362692526.939378) -> <void>
|
1362692526.939378 MetaHookPost UpdateNetworkTime(1362692526.939378) -> <void>
|
||||||
1362692526.939378 MetaHookPre DrainEvents()
|
1362692526.939378 MetaHookPre DrainEvents()
|
||||||
|
|
@ -1771,12 +1771,12 @@
|
||||||
1362692526.939527 MetaHookPost CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
|
||||||
|
|
@ -1791,30 +1791,30 @@
|
||||||
1362692526.939527 MetaHookPost CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
|
1362692526.939527 MetaHookPost CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
|
||||||
1362692526.939527 MetaHookPost DrainEvents() -> <void>
|
1362692526.939527 MetaHookPost DrainEvents() -> <void>
|
||||||
1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
|
||||||
1362692526.939527 MetaHookPost QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
|
1362692526.939527 MetaHookPost QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
|
||||||
1362692526.939527 MetaHookPost UpdateNetworkTime(1362692526.939527) -> <void>
|
1362692526.939527 MetaHookPost UpdateNetworkTime(1362692526.939527) -> <void>
|
||||||
1362692526.939527 MetaHookPre CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
|
1362692526.939527 MetaHookPre CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
|
||||||
1362692526.939527 MetaHookPre CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
|
1362692526.939527 MetaHookPre CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
|
1362692526.939527 MetaHookPre CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
|
||||||
1362692526.939527 MetaHookPre CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
|
1362692526.939527 MetaHookPre CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
|
||||||
1362692526.939527 MetaHookPre CallFunction(fmt, <frame>, (-%s, HTTP))
|
1362692526.939527 MetaHookPre CallFunction(fmt, <frame>, (-%s, HTTP))
|
||||||
|
|
@ -1829,31 +1829,31 @@
|
||||||
1362692526.939527 MetaHookPre CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
|
1362692526.939527 MetaHookPre CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
|
||||||
1362692526.939527 MetaHookPre CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
|
1362692526.939527 MetaHookPre CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
|
||||||
1362692526.939527 MetaHookPre CallFunction(network_time, <frame>, ())
|
1362692526.939527 MetaHookPre CallFunction(network_time, <frame>, ())
|
||||||
1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
|
1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
|
||||||
1362692526.939527 MetaHookPre CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
|
1362692526.939527 MetaHookPre CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
|
||||||
1362692526.939527 MetaHookPre CallFunction(split_string1, <frame>, (bro.org, <...>/))
|
1362692526.939527 MetaHookPre CallFunction(split_string1, <frame>, (bro.org, <...>/))
|
||||||
1362692526.939527 MetaHookPre DrainEvents()
|
1362692526.939527 MetaHookPre DrainEvents()
|
||||||
1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
1362692526.939527 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
|
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
|
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
|
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
|
1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
|
1362692526.939527 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
|
1362692526.939527 MetaHookPre QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
|
||||||
1362692526.939527 MetaHookPre QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
|
1362692526.939527 MetaHookPre QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
|
||||||
1362692526.939527 MetaHookPre UpdateNetworkTime(1362692526.939527)
|
1362692526.939527 MetaHookPre UpdateNetworkTime(1362692526.939527)
|
||||||
1362692526.939527 | HookUpdateNetworkTime 1362692526.939527
|
1362692526.939527 | HookUpdateNetworkTime 1362692526.939527
|
||||||
1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
|
1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
|
||||||
1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
|
1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
|
||||||
1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||||
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
|
1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
|
||||||
1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
|
1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
|
||||||
1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
|
1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
|
||||||
|
|
@ -1868,20 +1868,20 @@
|
||||||
1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
|
1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
|
||||||
1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
|
1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
|
||||||
1362692526.939527 | HookCallFunction network_time()
|
1362692526.939527 | HookCallFunction network_time()
|
||||||
1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
|
1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
|
||||||
1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
|
1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
|
||||||
1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
|
1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
|
||||||
1362692526.939527 | HookDrainEvents
|
1362692526.939527 | HookDrainEvents
|
||||||
1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||||
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
|
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
|
||||||
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
|
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
|
||||||
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
|
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
|
||||||
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
|
1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
|
||||||
1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
|
1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
|
||||||
1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
|
1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
|
||||||
1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=c8:bc:c8:96:d2:a0, eth_dst=0:10:db:88:d2:ef, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
|
1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
|
||||||
1362692527.008509 MetaHookPost DrainEvents() -> <void>
|
1362692527.008509 MetaHookPost DrainEvents() -> <void>
|
||||||
1362692527.008509 MetaHookPost UpdateNetworkTime(1362692527.008509) -> <void>
|
1362692527.008509 MetaHookPost UpdateNetworkTime(1362692527.008509) -> <void>
|
||||||
1362692527.008509 MetaHookPre DrainEvents()
|
1362692527.008509 MetaHookPre DrainEvents()
|
||||||
|
|
|
||||||
File diff suppressed because one or more lines are too long
|
|
@ -1,5 +1,5 @@
|
||||||
1254722768.219663 smtp_reply
|
1254722768.219663 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 220
|
[2] code: count = 220
|
||||||
[3] cmd: string = >
|
[3] cmd: string = >
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.219663 smtp_reply
|
1254722768.219663 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 220
|
[2] code: count = 220
|
||||||
[3] cmd: string = >
|
[3] cmd: string = >
|
||||||
|
|
@ -15,7 +15,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.219663 smtp_reply
|
1254722768.219663 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 220
|
[2] code: count = 220
|
||||||
[3] cmd: string = >
|
[3] cmd: string = >
|
||||||
|
|
@ -23,13 +23,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722768.224809 smtp_request
|
1254722768.224809 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = EHLO
|
[2] command: string = EHLO
|
||||||
[3] arg: string = GP
|
[3] arg: string = GP
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -45,7 +45,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -53,7 +53,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -61,7 +61,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -69,7 +69,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1254722768.566183 smtp_reply
|
1254722768.566183 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -77,13 +77,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722768.568729 smtp_request
|
1254722768.568729 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = AUTH
|
[2] command: string = AUTH
|
||||||
[3] arg: string = LOGIN
|
[3] arg: string = LOGIN
|
||||||
|
|
||||||
1254722768.911081 smtp_reply
|
1254722768.911081 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 334
|
[2] code: count = 334
|
||||||
[3] cmd: string = AUTH
|
[3] cmd: string = AUTH
|
||||||
|
|
@ -91,13 +91,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722768.911655 smtp_request
|
1254722768.911655 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = **
|
[2] command: string = **
|
||||||
[3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu
|
[3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu
|
||||||
|
|
||||||
1254722769.253544 smtp_reply
|
1254722769.253544 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 334
|
[2] code: count = 334
|
||||||
[3] cmd: string = AUTH_ANSWER
|
[3] cmd: string = AUTH_ANSWER
|
||||||
|
|
@ -105,13 +105,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722769.254118 smtp_request
|
1254722769.254118 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = **
|
[2] command: string = **
|
||||||
[3] arg: string = cHVuamFiQDEyMw==
|
[3] arg: string = cHVuamFiQDEyMw==
|
||||||
|
|
||||||
1254722769.613798 smtp_reply
|
1254722769.613798 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 235
|
[2] code: count = 235
|
||||||
[3] cmd: string = AUTH_ANSWER
|
[3] cmd: string = AUTH_ANSWER
|
||||||
|
|
@ -119,13 +119,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722769.614414 smtp_request
|
1254722769.614414 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = MAIL
|
[2] command: string = MAIL
|
||||||
[3] arg: string = FROM: <gurpartap@patriots.in>
|
[3] arg: string = FROM: <gurpartap@patriots.in>
|
||||||
|
|
||||||
1254722769.956765 smtp_reply
|
1254722769.956765 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = MAIL
|
[3] cmd: string = MAIL
|
||||||
|
|
@ -133,13 +133,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722769.957250 smtp_request
|
1254722769.957250 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = RCPT
|
[2] command: string = RCPT
|
||||||
[3] arg: string = TO: <raj_deol2002in@yahoo.co.in>
|
[3] arg: string = TO: <raj_deol2002in@yahoo.co.in>
|
||||||
|
|
||||||
1254722770.319708 smtp_reply
|
1254722770.319708 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = RCPT
|
[3] cmd: string = RCPT
|
||||||
|
|
@ -147,13 +147,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722770.320203 smtp_request
|
1254722770.320203 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = DATA
|
[2] command: string = DATA
|
||||||
[3] arg: string =
|
[3] arg: string =
|
||||||
|
|
||||||
1254722770.661679 smtp_reply
|
1254722770.661679 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 354
|
[2] code: count = 354
|
||||||
[3] cmd: string = DATA
|
[3] cmd: string = DATA
|
||||||
|
|
@ -161,13 +161,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722771.858334 smtp_request
|
1254722771.858334 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = .
|
[2] command: string = .
|
||||||
[3] arg: string = .
|
[3] arg: string = .
|
||||||
|
|
||||||
1254722772.248789 smtp_reply
|
1254722772.248789 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = .
|
[3] cmd: string = .
|
||||||
|
|
@ -175,13 +175,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1254722774.763825 smtp_request
|
1254722774.763825 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = QUIT
|
[2] command: string = QUIT
|
||||||
[3] arg: string =
|
[3] arg: string =
|
||||||
|
|
||||||
1254722775.105467 smtp_reply
|
1254722775.105467 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=0:e0:1c:3c:17:c2, eth_dst=0:1f:33:d9:81:60, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 221
|
[2] code: count = 221
|
||||||
[3] cmd: string = QUIT
|
[3] cmd: string = QUIT
|
||||||
|
|
@ -189,7 +189,7 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.867142 smtp_reply
|
1437831787.867142 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 220
|
[2] code: count = 220
|
||||||
[3] cmd: string = >
|
[3] cmd: string = >
|
||||||
|
|
@ -197,13 +197,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.883306 smtp_request
|
1437831787.883306 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = EHLO
|
[2] command: string = EHLO
|
||||||
[3] arg: string = [192.168.133.100]
|
[3] arg: string = [192.168.133.100]
|
||||||
|
|
||||||
1437831787.886281 smtp_reply
|
1437831787.886281 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -211,7 +211,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1437831787.886281 smtp_reply
|
1437831787.886281 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -219,7 +219,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1437831787.886281 smtp_reply
|
1437831787.886281 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -227,7 +227,7 @@
|
||||||
[5] cont_resp: bool = T
|
[5] cont_resp: bool = T
|
||||||
|
|
||||||
1437831787.886281 smtp_reply
|
1437831787.886281 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = EHLO
|
[3] cmd: string = EHLO
|
||||||
|
|
@ -235,13 +235,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.887031 smtp_request
|
1437831787.887031 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = MAIL
|
[2] command: string = MAIL
|
||||||
[3] arg: string = FROM:<albert@example.com>
|
[3] arg: string = FROM:<albert@example.com>
|
||||||
|
|
||||||
1437831787.889785 smtp_reply
|
1437831787.889785 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = MAIL
|
[3] cmd: string = MAIL
|
||||||
|
|
@ -249,13 +249,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.890232 smtp_request
|
1437831787.890232 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = RCPT
|
[2] command: string = RCPT
|
||||||
[3] arg: string = TO:<ericlim220@yahoo.com>
|
[3] arg: string = TO:<ericlim220@yahoo.com>
|
||||||
|
|
||||||
1437831787.892986 smtp_reply
|
1437831787.892986 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = RCPT
|
[3] cmd: string = RCPT
|
||||||
|
|
@ -263,13 +263,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.893587 smtp_request
|
1437831787.893587 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = RCPT
|
[2] command: string = RCPT
|
||||||
[3] arg: string = TO:<felica4uu@hotmail.com>
|
[3] arg: string = TO:<felica4uu@hotmail.com>
|
||||||
|
|
||||||
1437831787.897624 smtp_reply
|
1437831787.897624 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = RCPT
|
[3] cmd: string = RCPT
|
||||||
|
|
@ -277,13 +277,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.898413 smtp_request
|
1437831787.898413 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = RCPT
|
[2] command: string = RCPT
|
||||||
[3] arg: string = TO:<davis_mark1@outlook.com>
|
[3] arg: string = TO:<davis_mark1@outlook.com>
|
||||||
|
|
||||||
1437831787.901069 smtp_reply
|
1437831787.901069 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = RCPT
|
[3] cmd: string = RCPT
|
||||||
|
|
@ -291,13 +291,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.901697 smtp_request
|
1437831787.901697 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = DATA
|
[2] command: string = DATA
|
||||||
[3] arg: string =
|
[3] arg: string =
|
||||||
|
|
||||||
1437831787.904758 smtp_reply
|
1437831787.904758 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 354
|
[2] code: count = 354
|
||||||
[3] cmd: string = DATA
|
[3] cmd: string = DATA
|
||||||
|
|
@ -305,13 +305,13 @@
|
||||||
[5] cont_resp: bool = F
|
[5] cont_resp: bool = F
|
||||||
|
|
||||||
1437831787.905375 smtp_request
|
1437831787.905375 smtp_request
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = T
|
[1] is_orig: bool = T
|
||||||
[2] command: string = .
|
[2] command: string = .
|
||||||
[3] arg: string = .
|
[3] arg: string = .
|
||||||
|
|
||||||
1437831787.914113 smtp_reply
|
1437831787.914113 smtp_reply
|
||||||
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_src=58:b0:35:86:54:8d, eth_dst=0:8:ca:cc:ad:4c, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
|
||||||
[1] is_orig: bool = F
|
[1] is_orig: bool = F
|
||||||
[2] code: count = 250
|
[2] code: count = 250
|
||||||
[3] cmd: string = .
|
[3] cmd: string = .
|
||||||
|
|
|
||||||
|
|
@ -3,41 +3,41 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path conn
|
#path conn
|
||||||
#open 2016-05-29-20-26-45
|
#open 2016-06-01-23-46-06
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents eth_src eth_dst
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
|
||||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
|
||||||
1300475169.780331 C7XEbhP654jzLoe3a 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty) 0:13:7f:be:8c:ff 0:e0:db:1:cf:4b
|
1300475169.780331 C7XEbhP654jzLoe3a 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty) 00:13:7f:be:8c:ff 00:e0:db:01:cf:4b
|
||||||
1300475168.859163 CsRx2w45OKnoww6xl4 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.859163 CsRx2w45OKnoww6xl4 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.652003 CJ3xTn1c4Zw9TmAE05 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.652003 CJ3xTn1c4Zw9TmAE05 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.895267 C6pKV8GSxOnSLghOa 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.895267 C6pKV8GSxOnSLghOa 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.902635 CIPOse170MGiRM1Qf4 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.902635 CIPOse170MGiRM1Qf4 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.892936 CRJuHdVW0XPVINV8a 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.892936 CRJuHdVW0XPVINV8a 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.855305 CCvvfg3TEfuqmmG4bh 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.855305 CCvvfg3TEfuqmmG4bh 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.892913 CPbrpk1qSsw6ESzHV4 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.892913 CPbrpk1qSsw6ESzHV4 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.724007 CXWv6p3arKYeMETxOg 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.724007 CXWv6p3arKYeMETxOg 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.855330 CjhGID4nQcgTWjvg4c 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.855330 CjhGID4nQcgTWjvg4c 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.891644 CMXxB5GvmoxJFXdTa 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.891644 CMXxB5GvmoxJFXdTa 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475170.862384 Caby8b1slFea8xwSmb 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty) f0:4d:a2:47:ba:25 ff:ff:ff:ff:ff:ff
|
1300475170.862384 Caby8b1slFea8xwSmb 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty) f0:4d:a2:47:ba:25 ff:ff:ff:ff:ff:ff
|
||||||
1300475168.853899 Che1bq3i2rO3KD1Syg 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.853899 Che1bq3i2rO3KD1Syg 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.854378 C3SfNE4BWaU4aSuwkc 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.854378 C3SfNE4BWaU4aSuwkc 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.857956 CEle3f3zno26fFZkrh 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.857956 CEle3f3zno26fFZkrh 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475173.117362 CwSkQu4eWZCH7OONC1 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 1:0:5e:0:0:fc
|
1300475173.117362 CwSkQu4eWZCH7OONC1 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 01:00:5e:00:00:fc
|
||||||
1300475167.097012 CfTOmO0HKorjr8Zp7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty) 0:17:f2:d7:cf:65 33:33:0:0:0:fb
|
1300475167.097012 CfTOmO0HKorjr8Zp7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty) 00:17:f2:d7:cf:65 33:33:00:00:00:fb
|
||||||
1300475168.858713 CzA03V1VcgagLjnO92 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.858713 CzA03V1VcgagLjnO92 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475171.675372 CyAhVIzHqb7t7kv28 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:0:1:0:3
|
1300475171.675372 CyAhVIzHqb7t7kv28 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:00:01:00:03
|
||||||
1300475167.096535 Cab0vO1xNYSS2hJkle 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty) 0:30:48:bd:3e:c4 1:0:5e:0:0:fb
|
1300475167.096535 Cab0vO1xNYSS2hJkle 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty) 00:30:48:bd:3e:c4 01:00:5e:00:00:fb
|
||||||
1300475167.099816 Cx2FqO23omNawSNrxj 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty) 0:17:f2:d7:cf:65 1:0:5e:0:0:fb
|
1300475167.099816 Cx2FqO23omNawSNrxj 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty) 00:17:f2:d7:cf:65 01:00:5e:00:00:fb
|
||||||
1300475168.892037 Cx3C534wEyF3OvvcQe 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.892037 Cx3C534wEyF3OvvcQe 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.893988 CkDsfG2YIeWJmXWNWj 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.893988 CkDsfG2YIeWJmXWNWj 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.854837 CUKS0W3HFYOnBqSE5e 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.854837 CUKS0W3HFYOnBqSE5e 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475169.899438 CRrfvP2lalMAYOCLhj 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty) 0:16:76:23:d9:e3 1:0:5e:0:0:fb
|
1300475169.899438 CRrfvP2lalMAYOCLhj 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty) 00:16:76:23:d9:e3 01:00:5e:00:00:fb
|
||||||
1300475173.116749 Cn78a440HlxuyZKs6f fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:0:1:0:3
|
1300475173.116749 Cn78a440HlxuyZKs6f fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty) f0:4d:a2:47:ba:25 33:33:00:01:00:03
|
||||||
1300475168.858306 CUof3F2yAIid8QS3dk 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.858306 CUof3F2yAIid8QS3dk 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.894422 CojBOU3CXcLHl1r6x1 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.894422 CojBOU3CXcLHl1r6x1 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475173.153679 CJzVQRGJrX6V15ik7 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty) 0:23:32:b6:c:46 ff:ff:ff:ff:ff:ff
|
1300475173.153679 CJzVQRGJrX6V15ik7 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty) 00:23:32:b6:0c:46 ff:ff:ff:ff:ff:ff
|
||||||
1300475168.892414 ClAbxY1nmdjCuo0Le2 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.892414 ClAbxY1nmdjCuo0Le2 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475171.677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 1:0:5e:0:0:fc
|
1300475171.677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty) f0:4d:a2:47:ba:25 01:00:5e:00:00:fc
|
||||||
1300475168.902195 CisNaL1Cm73CiNOmcg 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.902195 CisNaL1Cm73CiNOmcg 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.894787 CBQnJn22qN8TOeeZil 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.894787 CBQnJn22qN8TOeeZil 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
1300475168.901749 CbEsuD3dgDDngdlbKf 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty) 0:24:7e:e0:1d:b5 0:13:7f:be:8c:ff
|
1300475168.901749 CbEsuD3dgDDngdlbKf 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty) 00:24:7e:e0:1d:b5 00:13:7f:be:8c:ff
|
||||||
#close 2016-05-29-20-26-45
|
#close 2016-06-01-23-46-06
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path conn
|
#path conn
|
||||||
#open 2016-05-29-20-26-45
|
#open 2016-06-01-23-46-07
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents eth_src eth_dst
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
|
||||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
|
||||||
1439902891.705224 CXWv6p3arKYeMETxOg 172.17.156.76 61738 208.67.220.220 53 udp - 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty) - -
|
1439902891.705224 CXWv6p3arKYeMETxOg 172.17.156.76 61738 208.67.220.220 53 udp - 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty) 90:72:40:97:b6:f5 44:2b:03:aa:ab:8d
|
||||||
1439903050.580632 CjhGID4nQcgTWjvg4c fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 328 0 0 (empty) - -
|
1439903050.580632 CjhGID4nQcgTWjvg4c fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 328 0 0 (empty) a4:67:06:f7:ec:54 33:33:00:00:00:fb
|
||||||
#close 2016-05-29-20-26-45
|
#close 2016-06-01-23-46-07
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load diff
BIN
testing/btest/Traces/llc.pcap
Normal file
BIN
testing/btest/Traces/llc.pcap
Normal file
Binary file not shown.
|
|
@ -4,8 +4,8 @@
|
||||||
|
|
||||||
event new_connection(c: connection)
|
event new_connection(c: connection)
|
||||||
{
|
{
|
||||||
if ( c?$eth_src && c?$eth_dst )
|
if ( c$orig?$l2_addr && c$resp?$l2_addr )
|
||||||
print c$eth_src, c$eth_dst;
|
print c$orig$l2_addr, c$resp$l2_addr;
|
||||||
else
|
else
|
||||||
print "-", "-";
|
print "-", "-";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,11 @@
|
||||||
# @TEST-EXEC: mv conn.log conn1.log
|
# @TEST-EXEC: mv conn.log conn1.log
|
||||||
# @TEST-EXEC: bro -b -C -r $TRACES/radiotap.pcap %INPUT
|
# @TEST-EXEC: bro -b -C -r $TRACES/radiotap.pcap %INPUT
|
||||||
# @TEST-EXEC: mv conn.log conn2.log
|
# @TEST-EXEC: mv conn.log conn2.log
|
||||||
|
# @TEST-EXEC: bro -b -C -r $TRACES/llc.pcap %INPUT
|
||||||
|
# @TEST-EXEC: mv conn.log conn3.log
|
||||||
|
#
|
||||||
# @TEST-EXEC: btest-diff conn1.log
|
# @TEST-EXEC: btest-diff conn1.log
|
||||||
# @TEST-EXEC: btest-diff conn2.log
|
# @TEST-EXEC: btest-diff conn2.log
|
||||||
|
# @TEST-EXEC: btest-diff conn3.log
|
||||||
|
|
||||||
@load protocols/conn/mac-logging
|
@load protocols/conn/mac-logging
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue