Alert Table for 2017-11-21-traffic-analysis-exercise-6-of-6.pcap

Relative Time	Packet	Source	Source Port	Destination	Dest Port	Category	Rule Set	Signature	Severity
0.0	n/a	116.90.60.136	80	192.168.9.155	49754	Potential Corporate Privacy Violation	ET POLICY	PE EXE or DLL Windows file download HTTP	1
0.0	n/a	116.90.60.136	80	192.168.9.155	49754	Potentially Bad Traffic	ET INFO	Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	2
0.0	n/a	116.90.60.136	80	192.168.9.155	49754	Misc activity	ET INFO	EXE - Served Attached HTTP	3
1.0	16	192.168.9.155	49668	13.107.4.52	80	Misc activity	ET INFO	Microsoft Connection Test	3
6.0	310	192.168.9.155	49676	65.52.108.254	443	Unknown Traffic	ET JA3	Hash - Possible Malware - Fake Firefox Font Update	3
6.0	310	192.168.9.155	49676	65.52.108.254	443	Unknown Traffic	ET JA3	Hash - [Abuse.ch] Possible Tofsee	3
7.0	353	192.168.9.155	49678	131.253.34.238	443	Unknown Traffic	ET JA3	Hash - Possible Malware - Fake Firefox Font Update	3
7.0	353	192.168.9.155	49678	131.253.34.238	443	Unknown Traffic	ET JA3	Hash - [Abuse.ch] Possible Tofsee	3
63.0	956	192.168.9.155	49734	131.253.34.230	443	Unknown Traffic	ET JA3	Hash - Possible Malware - Fake Firefox Font Update	3
63.0	956	192.168.9.155	49734	131.253.34.230	443	Unknown Traffic	ET JA3	Hash - [Abuse.ch] Possible Tofsee	3
63.0	983	192.168.9.155	49735	65.52.108.229	443	Unknown Traffic	ET JA3	Hash - Possible Malware - Fake Firefox Font Update	3
63.0	983	192.168.9.155	49735	65.52.108.229	443	Unknown Traffic	ET JA3	Hash - [Abuse.ch] Possible Tofsee	3
97.0	1486	116.90.60.136	80	192.168.9.155	49754	A Network Trojan was detected	ET POLICY	Terse Named Filename EXE Download - Possibly Hostile	1
106.0	1963	192.168.9.155	49759	194.88.246.242	443	Malware Command and Control Activity Detected	ET MALWARE	W32/Emotet.v4 Checkin	1
106.0	1963	192.168.9.155	49759	194.88.246.242	443	Potentially Bad Traffic	ET POLICY	HTTP traffic on port 443 (POST)	2
106.0	1963	192.168.9.155	49759	194.88.246.242	443	Potentially Bad Traffic	ET HUNTING	GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	2
180.0	3469	192.168.9.155	49786	13.107.4.52	80	Misc activity	ET INFO	Microsoft Connection Test	3
198.0	4855	192.168.9.155	49779	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	Packet with invalid ack	3
198.0	4855	192.168.9.155	49779	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	SHUTDOWN RST invalid ack	3
198.0	4860	192.168.9.155	49774	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	Packet with invalid ack	3
198.0	4860	192.168.9.155	49774	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	SHUTDOWN RST invalid ack	3
198.0	4867	192.168.9.155	49778	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	Packet with invalid ack	3
198.0	4867	192.168.9.155	49778	23.53.120.145	443	Generic Protocol Command Decode	SURICATA STREAM	SHUTDOWN RST invalid ack	3
263.0	6715	192.168.9.155	49900	23.50.125.142	443	Generic Protocol Command Decode		SURICATA Applayer Wrong direction first Data	3
264.0	6736	13.107.13.88	443	192.168.9.155	49813	Generic Protocol Command Decode	SURICATA STREAM	Packet with invalid ack	3
264.0	6736	13.107.13.88	443	192.168.9.155	49813	Generic Protocol Command Decode	SURICATA STREAM	SHUTDOWN RST invalid ack	3
304.0	6896	192.168.9.155	49963	64.4.54.254	443	Generic Protocol Command Decode		SURICATA Applayer Wrong direction first Data	3
326.0	7002	192.168.9.155	49829	23.50.125.142	443	Generic Protocol Command Decode	SURICATA STREAM	Packet with invalid ack	3
326.0	7002	192.168.9.155	49829	23.50.125.142	443	Generic Protocol Command Decode	SURICATA STREAM	SHUTDOWN RST invalid ack	3
607.0	7416	192.168.9.155	49991	64.4.54.254	443	Generic Protocol Command Decode	SURICATA STREAM	bad window update	3
607.0	7418	192.168.9.155	49991	64.4.54.254	443	Generic Protocol Command Decode	SURICATA STREAM	bad window update	3

Open in new window Done