Alert Table for 2017-10-21-traffic-analysis-exercise.pcap

Relative Time Packet Source Source Port Destination Dest Port Category Rule Set Signature Severity
0.0 n/a 23.56.3.183 80 10.0.1.95 61252 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 173.241.244.11 80 10.0.1.95 61329 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 23.56.3.183 80 10.0.1.95 61294 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 80.239.137.59 80 10.0.1.95 61236 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 23.56.3.183 80 10.0.1.95 61292 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 80.239.137.50 80 10.0.1.95 61258 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 173.241.244.212 80 10.0.1.95 61318 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
0.0 n/a 128.177.96.24 80 10.0.1.95 61263 Generic Protocol Command Decode SURICATA HTTP unable to match response to request 3
2.0 62 10.0.1.95 49672 65.52.108.254 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
3.0 117 10.0.1.95 49674 65.52.108.212 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
55.0 605 107.180.41.148 80 10.0.1.95 49691 Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP 1
55.0 605 107.180.41.148 80 10.0.1.95 49691 Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download 2
77.0 722 10.0.1.95 49671 65.52.108.254 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
80.0 848 10.0.1.95 49676 65.52.108.254 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
81.0 874 10.0.1.95 49677 40.77.224.255 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
137.0 1230 10.0.1.95 57624 65.52.108.254 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
137.0 1267 10.0.1.95 57625 65.52.108.225 443 Unknown Traffic ET JA3 Hash - Possible Malware - Fake Firefox Font Update 3
195.0 1860 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
195.0 1863 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
195.0 1866 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
195.0 1870 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
196.0 1876 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
196.0 1883 10.0.1.95 53133 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
257.0 3864 10.0.1.95 63717 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4443 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4447 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4456 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4458 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4459 10.0.1.95 57758 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4474 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4475 10.0.1.95 57758 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4476 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
538.0 4478 10.0.1.95 57759 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4489 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4491 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4493 10.0.1.95 57759 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4496 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4498 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4516 10.0.1.95 57756 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
539.0 4517 10.0.1.95 57757 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
544.0 4770 10.0.1.95 49516 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
544.0 4776 10.0.1.95 49516 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
549.0 4863 10.0.1.95 49520 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
550.0 4869 10.0.1.95 49520 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
554.0 4914 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
554.0 4933 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
554.0 5008 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5041 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5042 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5195 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5196 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5272 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5273 10.0.1.95 49522 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5297 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5308 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5333 10.0.1.95 49527 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5334 10.0.1.95 49529 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
555.0 5349 10.0.1.95 49529 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5373 10.0.1.95 49532 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5384 10.0.1.95 49532 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5439 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5446 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5454 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5461 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5466 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
556.0 5472 10.0.1.95 49534 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
562.0 5563 10.0.1.95 49538 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
562.0 5567 10.0.1.95 49538 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
566.0 5658 10.0.1.95 49542 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
566.0 5670 10.0.1.95 49542 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
567.0 5672 10.0.1.95 49543 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
567.0 5680 10.0.1.95 49543 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5748 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5751 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5755 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5756 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5761 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5763 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5767 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5769 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5773 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5774 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5780 10.0.1.95 49547 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
572.0 5781 10.0.1.95 49546 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
634.0 6141 10.0.1.95 61209 104.18.61.210 80 Generic Protocol Command Decode SURICATA HTTP Request abnormal Content-Encoding header 3
635.0 7322 104.18.61.210 80 10.0.1.95 61209 Exploit Kit Activity Detected ET EXPLOIT_KIT EITest Inject July 25 2017 1
635.0 7681 10.0.1.95 61209 104.18.61.210 80 Potential Corporate Privacy Violation ET POLICY Outdated Flash Version M1 1
638.0 8852 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
638.0 8880 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
638.0 8894 10.0.1.95 61313 172.226.84.55 443 Unknown Traffic ET JA3 Hash - [Abuse.ch] Possible Adware 3
638.0 8905 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
638.0 8921 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
638.0 8945 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
638.0 9001 10.0.1.95 61320 13.107.4.52 80 Misc activity ET INFO Microsoft Connection Test 3
692.0 9518 10.0.1.95 55963 10.0.1.1 53 Potentially Bad Traffic ET DNS Query to a .tk domain - Likely Hostile 2
692.0 9519 10.0.1.95 55963 10.0.1.1 53 Potentially Bad Traffic ET DNS Query to a .tk domain - Likely Hostile 2
693.0 9534 10.0.1.95 61356 162.244.35.36 80 Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain 2
693.0 9537 162.244.35.36 80 10.0.1.95 61356 Possible Social Engineering Attempted ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3) 2016-08-12 2
693.0 9537 162.244.35.36 80 10.0.1.95 61356 Possible Social Engineering Attempted ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12 2
693.0 9544 10.0.1.95 61357 162.244.35.36 80 Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain 2
693.0 9580 10.0.1.95 61356 162.244.35.36 80 Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain 2
698.0 9653 10.0.1.95 61356 162.244.35.36 80 Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain 2
698.0 9656 10.0.1.95 61357 162.244.35.36 80 Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain 2
702.0 9917 162.244.35.33 80 10.0.1.95 61354 Exploit Kit Activity Detected ET EXPLOIT_KIT Possible Keitaro TDS Redirect 1