[Oisf-users] False Positive for 2210044?
Peter Manev
petermanev at gmail.com
Fri Feb 1 08:45:15 UTC 2019
On Mon, Jan 21, 2019 at 6:31 PM James Moe <jimoe at sohnen-moe.com> wrote:
>
> Hello,
> suricata 4.1.2
> opensuse leap 15.0
>
> There have recently been a lot of hits on rule #2210044. Most of them
> occur when the local email server is responding to the sending agent.
> Sometimes, it is in response to a DNS request.
> Below is json record of the transaction.
>
> Is this a false positive?
>
Is it possible to share a pcap (privately if you will) that reproduces
the issue ?
> 01/21/2019-09:27:53.749796 [**] [1:2210044:2] SURICATA STREAM Packet
> with invalid timestamp [**] [Classification: Generic Protocol Command
> Decode] [Priority: 3] {TCP} 127.0.0.1:125 -> 127.0.0.1:51192
>
> ----[ json ]----
> {"timestamp":"2019-01-21T09:27:53.109208-0700","flow_id":897471511439478,"event_type":"dns","src_ip":"192.168.69.246","src_port":37544,"dest_ip":"208.67.220.220","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54078,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
> {"timestamp":"2019-01-21T09:27:53.113569-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"192.168.69.246","src_port":42082,"dest_ip":"9.9.9.9","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12304,"rrname":"apache.org","rrtype":"NS","tx_id":329}}
> {"timestamp":"2019-01-21T09:27:53.117929-0700","flow_id":1975113165753464,"event_type":"dns","src_ip":"192.168.69.246","src_port":59652,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25664,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
> {"timestamp":"2019-01-21T09:27:53.122277-0700","flow_id":235333583297706,"event_type":"dns","src_ip":"192.168.69.246","src_port":51584,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15800,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
> {"timestamp":"2019-01-21T09:27:53.132544-0700","flow_id":897471511439478,"event_type":"dns","src_ip":"208.67.220.220","src_port":53,"dest_ip":"192.168.69.246","dest_port":37544,"proto":"UDP","dns":{"version":2,"type":"answer","id":54078,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713}],"grouped":{}}}
> {"timestamp":"2019-01-21T09:27:53.144860-0700","flow_id":1975113165753464,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"192.168.69.246","dest_port":59652,"proto":"UDP","dns":{"version":2,"type":"answer","id":25664,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060}],"grouped":{}}}
> {"timestamp":"2019-01-21T09:27:53.153017-0700","flow_id":235333583297706,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":51584,"proto":"UDP","dns":{"version":2,"type":"answer","id":15800,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
> {"timestamp":"2019-01-21T09:27:53.535571-0700","flow_id":1717136297349739,"event_type":"smtp","src_ip":"140.211.11.3","src_port":34921,"dest_ip":"192.168.69.246","dest_port":25,"proto":"TCP","tx_id":0,"smtp":{"helo":"mail.apache.org","mail_from":"<users-return-118376-jimoe=sohnen-moe.com at httpd.apache.org>","rcpt_to":["<jimoe at sohnen-moe.com>"]},"email":{"status":"PARSE_DONE","from":"Osman
> Zakir <osmanzakir90 at hotmail.com>","to":["\"users at httpd.apache.org\"
> <users at httpd.apache.org>"],"url":["192.168.10.12:5501\/?q=accesskey","192.168.10.12:5501\/","192.168.10.12:5501\/?q=accesskey"\u200B","192.168.10.12:5501\/"\u200B"]}}
> {"timestamp":"2019-01-21T09:27:53.609825-0700","flow_id":575044363809590,"event_type":"smtp","src_ip":"127.0.0.1","src_port":51192,"dest_ip":"127.0.0.1","dest_port":125,"proto":"TCP","tx_id":0,"smtp":{"helo":"mail.apache.org","mail_from":"<users-return-118376-jimoe=sohnen-moe.com at httpd.apache.org>","rcpt_to":["<jimoe at sohnen-moe.com>"]},"email":{"status":"PARSE_DONE","from":"Osman
> Zakir <osmanzakir90 at hotmail.com>","to":["\"users at httpd.apache.org\"
> <users at httpd.apache.org>"],"url":["192.168.10.12:5501\/?q=accesskey","192.168.10.12:5501\/","192.168.10.12:5501\/?q=accesskey"\u200B","192.168.10.12:5501\/"\u200B"]}}
> {"timestamp":"2019-01-21T09:27:53.655387-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.655622-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":1}}
> {"timestamp":"2019-01-21T09:27:53.655622-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":1}}
> {"timestamp":"2019-01-21T09:27:53.656402-0700","flow_id":1961781929509906,"event_type":"dns","src_ip":"192.168.69.246","src_port":53846,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13428,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.656391-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"192.168.69.246","src_port":54690,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43762,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.656407-0700","flow_id":1335369539322903,"event_type":"dns","src_ip":"192.168.69.246","src_port":47057,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55995,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.656409-0700","flow_id":2107200932217881,"event_type":"dns","src_ip":"192.168.69.246","src_port":47201,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11394,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"AAAA","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.656410-0700","flow_id":518561248904218,"event_type":"dns","src_ip":"192.168.69.246","src_port":55975,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28083,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"AAAA","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.730096-0700","flow_id":1961781929509906,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":53846,"proto":"UDP","dns":{"version":2,"type":"answer","id":13428,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.116.52"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"104.47.124.7"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.55.133.11"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.110.11"}],"grouped":{"A":["157.56.116.52","104.47.124.7","157.55.133.11","157.56.110.11"]},"authorities":[{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780}]}}
> {"timestamp":"2019-01-21T09:27:53.737837-0700","flow_id":1335369539322903,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":47057,"proto":"UDP","dns":{"version":2,"type":"answer","id":55995,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"104.47.124.7"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.110.11"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.55.133.11"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.116.52"}],"grouped":{"A":["104.47.124.7","157.56.110.11","157.55.133.11","157.56.116.52"]},"authorities":[{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780}]}}
> {"timestamp":"2019-01-21T09:27:53.739762-0700","flow_id":2107200932217881,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":47201,"proto":"UDP","dns":{"version":2,"type":"answer","id":11394,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"AAAA","rcode":"NOERROR"}}
> {"timestamp":"2019-01-21T09:27:53.739816-0700","flow_id":518561248904218,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":55975,"proto":"UDP","dns":{"version":2,"type":"answer","id":28083,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"AAAA","rcode":"NOERROR"}}
>
> {"timestamp":"2019-01-21T09:27:53.749796-0700","flow_id":575044363809590,"event_type":"alert","src_ip":"127.0.0.1","src_port":125,"dest_ip":"127.0.0.1","dest_port":51192,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2210044,"rev":2,"signature":"SURICATA
> STREAM Packet with invalid timestamp","category":"Generic Protocol
> Command
> Decode","severity":3},"app_proto":"smtp","app_proto_tc":"failed","flow":{"pkts_toserver":30,"pkts_toclient":21,"bytes_toserver":27590,"bytes_toclient":1884,"start":"2019-01-21T09:27:52.848694-0700"}}
>
> {"timestamp":"2019-01-21T09:27:53.785019-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"9.9.9.9","src_port":53,"dest_ip":"192.168.69.246","dest_port":42082,"proto":"UDP","dns":{"version":2,"type":"answer","id":12304,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
> {"timestamp":"2019-01-21T09:27:53.797553-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":54690,"proto":"UDP","dns":{"version":2,"type":"answer","id":43762,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
> {"timestamp":"2019-01-21T09:27:53.785019-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"9.9.9.9","src_port":53,"dest_ip":"192.168.69.246","dest_port":42082,"proto":"UDP","dns":{"version":2,"type":"answer","id":12304,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
> {"timestamp":"2019-01-21T09:27:53.797553-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":54690,"proto":"UDP","dns":{"version":2,"type":"answer","id":43762,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
> {"timestamp":"2019-01-21T09:27:53.798912-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":41402,"proto":"UDP","dns":{"version":2,"type":"answer","id":3244,"flags":"8380","qr":true,"tc":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"}],"grouped":{"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]}}}
> {"timestamp":"2019-01-21T09:27:53.799322-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":41402,"proto":"UDP","dns":{"version":2,"type":"answer","id":3244,"flags":"8380","qr":true,"tc":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"}],"grouped":{"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]}}}
> {"timestamp":"2019-01-21T09:27:53.802212-0700","flow_id":1381218315221400,"event_type":"dns","src_ip":"127.0.0.1","src_port":56395,"dest_ip":"127.0.0.1","dest_port":53,"proto":"TCP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.803505-0700","flow_id":1381218315221400,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":56395,"proto":"TCP","dns":{"version":2,"type":"answer","id":3244,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"],"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
> {"timestamp":"2019-01-21T09:27:53.828936-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":44515,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35542,"rrname":"hotmail.com","rrtype":"A","tx_id":0}}
> {"timestamp":"2019-01-21T09:27:53.829426-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":44515,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35542,"rrname":"hotmail.com","rrtype":"A","tx_id":1}}
> {"timestamp":"2019-01-21T09:27:53.830098-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":44515,"proto":"UDP","dns":{"version":2,"type":"answer","id":35542,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"hotmail.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"hotmail.com","rrtype":"A","ttl":2691,"rdata":"204.79.197.212"}],"grouped":{"A":["204.79.197.212"]},"authorities":[{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494}]}}
> {"timestamp":"2019-01-21T09:27:53.830532-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":44515,"proto":"UDP","dns":{"version":2,"type":"answer","id":35542,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"hotmail.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"hotmail.com","rrtype":"A","ttl":2691,"rdata":"204.79.197.212"}],"grouped":{"A":["204.79.197.212"]},"authorities":[{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494}]}}
> ----[ end ]----
>
> +================
> TIME: 01/21/2019-09:27:53.749796
> PKT SRC: wire/pcap
> SRC IP: 127.0.0.1
> DST IP: 127.0.0.1
> PROTO: 6
> SRC PORT: 125
> DST PORT: 51192
> TCP SEQ: 3751300848
> TCP ACK: 3500256657
> FLOW: to_server: FALSE, to_client: TRUE
> FLOW Start TS: 01/21/2019-09:27:52.848694
> FLOW PKTS TODST: 30
> FLOW PKTS TOSRC: 21
> FLOW Total Bytes: 29474
> FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
> FLOW ACTION: DROP: FALSE
> FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
> FLOW APP_LAYER: DETECTED: TRUE, PROTO 3
> PACKET LEN: 108
> PACKET:
> 0000 45 00 00 6C 50 43 40 00 40 06 EC 46 7F 00 00 01 E..lPC at . @..F....
> 0010 7F 00 00 01 00 7D C7 F8 DF 98 4E F0 D0 A1 AD 91 .....}.. ..N.....
> 0020 80 18 05 55 7C 88 00 00 01 01 08 0A 0D EF 54 10 ...U|... ......T.
> 0030 0D EF 54 10 32 32 31 20 73 6D 61 2D 69 6E 63 2E ..T.221 sma-inc.
> 0040 75 73 20 43 6F 6D 6D 75 6E 69 47 61 74 65 20 50 us Commu niGate P
> 0050 72 6F 20 53 4D 54 50 20 63 6C 6F 73 69 6E 67 20 ro SMTP closing
> 0060 63 6F 6E 6E 65 63 74 69 6F 6E 0D 0A connecti on..
> ALERT CNT: 1
> ALERT MSG [00]: SURICATA STREAM Packet with invalid timestamp
> ALERT GID [00]: 1
> ALERT SID [00]: 2210044
> ALERT REV [00]: 2
> ALERT CLASS [00]: Generic Protocol Command Decode
> ALERT PRIO [00]: 3
> ALERT FOUND IN [00]: PACKET
> ALERT IN TX [00]: N/A
> PAYLOAD LEN: 56
> PAYLOAD:
> 0000 32 32 31 20 73 6D 61 2D 69 6E 63 2E 75 73 20 43 221 sma- inc.us C
> 0010 6F 6D 6D 75 6E 69 47 61 74 65 20 50 72 6F 20 53 ommuniGa te Pro S
> 0020 4D 54 50 20 63 6C 6F 73 69 6E 67 20 63 6F 6E 6E MTP clos ing conn
> 0030 65 63 74 69 6F 6E 0D 0A ection..
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> Think.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list