[Oisf-users] False Positive for 2210044?

Mon Jan 21 17:30:49 UTC 2019

Hello,
  suricata 4.1.2
  opensuse leap 15.0

  There have recently been a lot of hits on rule #2210044. Most of them
occur when the local email server is responding to the sending agent.
Sometimes, it is in response to a DNS request.
  Below is json record of the transaction.

  Is this a false positive?

01/21/2019-09:27:53.749796  [**] [1:2210044:2] SURICATA STREAM Packet
with invalid timestamp [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 127.0.0.1:125 -> 127.0.0.1:51192

----[ json ]----
{"timestamp":"2019-01-21T09:27:53.109208-0700","flow_id":897471511439478,"event_type":"dns","src_ip":"192.168.69.246","src_port":37544,"dest_ip":"208.67.220.220","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54078,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
{"timestamp":"2019-01-21T09:27:53.113569-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"192.168.69.246","src_port":42082,"dest_ip":"9.9.9.9","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12304,"rrname":"apache.org","rrtype":"NS","tx_id":329}}
{"timestamp":"2019-01-21T09:27:53.117929-0700","flow_id":1975113165753464,"event_type":"dns","src_ip":"192.168.69.246","src_port":59652,"dest_ip":"208.67.222.222","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25664,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
{"timestamp":"2019-01-21T09:27:53.122277-0700","flow_id":235333583297706,"event_type":"dns","src_ip":"192.168.69.246","src_port":51584,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15800,"rrname":"apache.org","rrtype":"NS","tx_id":330}}
{"timestamp":"2019-01-21T09:27:53.132544-0700","flow_id":897471511439478,"event_type":"dns","src_ip":"208.67.220.220","src_port":53,"dest_ip":"192.168.69.246","dest_port":37544,"proto":"UDP","dns":{"version":2,"type":"answer","id":54078,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713},{"rrname":"apache.org","rrtype":"NS","ttl":1713}],"grouped":{}}}
{"timestamp":"2019-01-21T09:27:53.144860-0700","flow_id":1975113165753464,"event_type":"dns","src_ip":"208.67.222.222","src_port":53,"dest_ip":"192.168.69.246","dest_port":59652,"proto":"UDP","dns":{"version":2,"type":"answer","id":25664,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060},{"rrname":"apache.org","rrtype":"NS","ttl":1060}],"grouped":{}}}
{"timestamp":"2019-01-21T09:27:53.153017-0700","flow_id":235333583297706,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":51584,"proto":"UDP","dns":{"version":2,"type":"answer","id":15800,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
{"timestamp":"2019-01-21T09:27:53.535571-0700","flow_id":1717136297349739,"event_type":"smtp","src_ip":"140.211.11.3","src_port":34921,"dest_ip":"192.168.69.246","dest_port":25,"proto":"TCP","tx_id":0,"smtp":{"helo":"mail.apache.org","mail_from":"<users-return-118376-jimoe=sohnen-moe.com at httpd.apache.org>","rcpt_to":["<jimoe at sohnen-moe.com>"]},"email":{"status":"PARSE_DONE","from":"Osman
Zakir <osmanzakir90 at hotmail.com>","to":["\"users at httpd.apache.org\"
<users at httpd.apache.org>"],"url":["192.168.10.12:5501\/?q=accesskey","192.168.10.12:5501\/","192.168.10.12:5501\/?q=accesskey"\u200B","192.168.10.12:5501\/"\u200B"]}}
{"timestamp":"2019-01-21T09:27:53.609825-0700","flow_id":575044363809590,"event_type":"smtp","src_ip":"127.0.0.1","src_port":51192,"dest_ip":"127.0.0.1","dest_port":125,"proto":"TCP","tx_id":0,"smtp":{"helo":"mail.apache.org","mail_from":"<users-return-118376-jimoe=sohnen-moe.com at httpd.apache.org>","rcpt_to":["<jimoe at sohnen-moe.com>"]},"email":{"status":"PARSE_DONE","from":"Osman
Zakir <osmanzakir90 at hotmail.com>","to":["\"users at httpd.apache.org\"
<users at httpd.apache.org>"],"url":["192.168.10.12:5501\/?q=accesskey","192.168.10.12:5501\/","192.168.10.12:5501\/?q=accesskey"\u200B","192.168.10.12:5501\/"\u200B"]}}
{"timestamp":"2019-01-21T09:27:53.655387-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.655622-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":1}}
{"timestamp":"2019-01-21T09:27:53.655622-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":41402,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":1}}
{"timestamp":"2019-01-21T09:27:53.656402-0700","flow_id":1961781929509906,"event_type":"dns","src_ip":"192.168.69.246","src_port":53846,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13428,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.656391-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"192.168.69.246","src_port":54690,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43762,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.656407-0700","flow_id":1335369539322903,"event_type":"dns","src_ip":"192.168.69.246","src_port":47057,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55995,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.656409-0700","flow_id":2107200932217881,"event_type":"dns","src_ip":"192.168.69.246","src_port":47201,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11394,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.656410-0700","flow_id":518561248904218,"event_type":"dns","src_ip":"192.168.69.246","src_port":55975,"dest_ip":"64.119.32.101","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28083,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"AAAA","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.730096-0700","flow_id":1961781929509906,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":53846,"proto":"UDP","dns":{"version":2,"type":"answer","id":13428,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.116.52"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"104.47.124.7"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.55.133.11"},{"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.110.11"}],"grouped":{"A":["157.56.116.52","104.47.124.7","157.55.133.11","157.56.110.11"]},"authorities":[{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780}]}}
{"timestamp":"2019-01-21T09:27:53.737837-0700","flow_id":1335369539322903,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":47057,"proto":"UDP","dns":{"version":2,"type":"answer","id":55995,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"104.47.124.7"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.110.11"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.55.133.11"},{"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"A","ttl":30,"rdata":"157.56.116.52"}],"grouped":{"A":["104.47.124.7","157.56.110.11","157.55.133.11","157.56.116.52"]},"authorities":[{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780},{"rrname":"o365filtering.com","rrtype":"NS","ttl":29780}]}}
{"timestamp":"2019-01-21T09:27:53.739762-0700","flow_id":2107200932217881,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":47201,"proto":"UDP","dns":{"version":2,"type":"answer","id":11394,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns1-gtm.glbdns.o365filtering.com","rrtype":"AAAA","rcode":"NOERROR"}}
{"timestamp":"2019-01-21T09:27:53.739816-0700","flow_id":518561248904218,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":55975,"proto":"UDP","dns":{"version":2,"type":"answer","id":28083,"flags":"8190","qr":true,"rd":true,"ra":true,"rrname":"ns2-gtm.glbdns.o365filtering.com","rrtype":"AAAA","rcode":"NOERROR"}}

{"timestamp":"2019-01-21T09:27:53.749796-0700","flow_id":575044363809590,"event_type":"alert","src_ip":"127.0.0.1","src_port":125,"dest_ip":"127.0.0.1","dest_port":51192,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2210044,"rev":2,"signature":"SURICATA
STREAM Packet with invalid timestamp","category":"Generic Protocol
Command
Decode","severity":3},"app_proto":"smtp","app_proto_tc":"failed","flow":{"pkts_toserver":30,"pkts_toclient":21,"bytes_toserver":27590,"bytes_toclient":1884,"start":"2019-01-21T09:27:52.848694-0700"}}

{"timestamp":"2019-01-21T09:27:53.785019-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"9.9.9.9","src_port":53,"dest_ip":"192.168.69.246","dest_port":42082,"proto":"UDP","dns":{"version":2,"type":"answer","id":12304,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
{"timestamp":"2019-01-21T09:27:53.797553-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":54690,"proto":"UDP","dns":{"version":2,"type":"answer","id":43762,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
{"timestamp":"2019-01-21T09:27:53.785019-0700","flow_id":480095179553770,"event_type":"dns","src_ip":"9.9.9.9","src_port":53,"dest_ip":"192.168.69.246","dest_port":42082,"proto":"UDP","dns":{"version":2,"type":"answer","id":12304,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"apache.org","rrtype":"NS","rcode":"NOERROR","answers":[{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800},{"rrname":"apache.org","rrtype":"NS","ttl":1800}],"grouped":{}}}
{"timestamp":"2019-01-21T09:27:53.797553-0700","flow_id":2014992279340039,"event_type":"dns","src_ip":"64.119.32.101","src_port":53,"dest_ip":"192.168.69.246","dest_port":54690,"proto":"UDP","dns":{"version":2,"type":"answer","id":43762,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
{"timestamp":"2019-01-21T09:27:53.798912-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":41402,"proto":"UDP","dns":{"version":2,"type":"answer","id":3244,"flags":"8380","qr":true,"tc":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"}],"grouped":{"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]}}}
{"timestamp":"2019-01-21T09:27:53.799322-0700","flow_id":1478701187923995,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":41402,"proto":"UDP","dns":{"version":2,"type":"answer","id":3244,"flags":"8380","qr":true,"tc":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"}],"grouped":{"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]}}}
{"timestamp":"2019-01-21T09:27:53.802212-0700","flow_id":1381218315221400,"event_type":"dns","src_ip":"127.0.0.1","src_port":56395,"dest_ip":"127.0.0.1","dest_port":53,"proto":"TCP","dns":{"type":"query","id":3244,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.803505-0700","flow_id":1381218315221400,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":56395,"proto":"TCP","dns":{"version":2,"type":"answer","id":3244,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"selector1._domainkey.hotmail.com","rrtype":"TXT","rcode":"NOERROR","answers":[{"rrname":"selector1._domainkey.hotmail.com","rrtype":"CNAME","ttl":2691,"rdata":"selector1._domainkey.outbound.protection.outlook.com"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5"},{"rrname":"selector1._domainkey.outbound.protection.outlook.com","rrtype":"TXT","ttl":600,"rdata":"N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"}],"grouped":{"TXT":["v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWyktrIL8DO\/+UGvMbv7cPd\/Xogpbs7pgVw8y9ldO6AAMmg8+ijENl\/c7Fb1MfKM7uG3LMwAr0dVVKyM+mbkoX2k5L7lsROQr0Z9gGSpu7xrnZOa58+\/pIhd2Xk\/DFPpa5+TKbWodbsSZPRN8z0RY5x59jdzSclXlEyN9mEZdmOiKTsOP6A7vQxfSya9jg5","N81dfNNvP7HnWejMMsKyIMrXptxOhIBuEYH67JDe98QgX14oHvGM2Uz53if\/SW8MF09rYh9sp4ZsaWLIg6T343JzlbtrsGRGCDJ9JPpxRWZimtz+Up\/BlKzT6sCCrBihb\/Bi3pZiEBB4Ui\/vruL5RCQIDAQAB;n=2048,1452627113,1468351913"],"CNAME":["selector1._domainkey.outbound.protection.outlook.com"]},"authorities":[{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049},{"rrname":"protection.outlook.com","rrtype":"NS","ttl":3049}]}}
{"timestamp":"2019-01-21T09:27:53.828936-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":44515,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35542,"rrname":"hotmail.com","rrtype":"A","tx_id":0}}
{"timestamp":"2019-01-21T09:27:53.829426-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":44515,"dest_ip":"127.0.0.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35542,"rrname":"hotmail.com","rrtype":"A","tx_id":1}}
{"timestamp":"2019-01-21T09:27:53.830098-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":44515,"proto":"UDP","dns":{"version":2,"type":"answer","id":35542,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"hotmail.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"hotmail.com","rrtype":"A","ttl":2691,"rdata":"204.79.197.212"}],"grouped":{"A":["204.79.197.212"]},"authorities":[{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494}]}}
{"timestamp":"2019-01-21T09:27:53.830532-0700","flow_id":376415011317256,"event_type":"dns","src_ip":"127.0.0.1","src_port":53,"dest_ip":"127.0.0.1","dest_port":44515,"proto":"UDP","dns":{"version":2,"type":"answer","id":35542,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"hotmail.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"hotmail.com","rrtype":"A","ttl":2691,"rdata":"204.79.197.212"}],"grouped":{"A":["204.79.197.212"]},"authorities":[{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494},{"rrname":"hotmail.com","rrtype":"NS","ttl":59494}]}}
----[ end ]----

+================
TIME:              01/21/2019-09:27:53.749796
PKT SRC:           wire/pcap
SRC IP:            127.0.0.1
DST IP:            127.0.0.1
PROTO:             6
SRC PORT:          125
DST PORT:          51192
TCP SEQ:           3751300848
TCP ACK:           3500256657
FLOW:              to_server: FALSE, to_client: TRUE
FLOW Start TS:     01/21/2019-09:27:52.848694
FLOW PKTS TODST:   30
FLOW PKTS TOSRC:   21
FLOW Total Bytes:  29474
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 3
PACKET LEN:        108
PACKET:
 0000  45 00 00 6C 50 43 40 00  40 06 EC 46 7F 00 00 01   E..lPC at . @..F....
 0010  7F 00 00 01 00 7D C7 F8  DF 98 4E F0 D0 A1 AD 91   .....}.. ..N.....
 0020  80 18 05 55 7C 88 00 00  01 01 08 0A 0D EF 54 10   ...U|... ......T.
 0030  0D EF 54 10 32 32 31 20  73 6D 61 2D 69 6E 63 2E   ..T.221  sma-inc.
 0040  75 73 20 43 6F 6D 6D 75  6E 69 47 61 74 65 20 50   us Commu niGate P
 0050  72 6F 20 53 4D 54 50 20  63 6C 6F 73 69 6E 67 20   ro SMTP  closing
 0060  63 6F 6E 6E 65 63 74 69  6F 6E 0D 0A               connecti on..
ALERT CNT:           1
ALERT MSG [00]:      SURICATA STREAM Packet with invalid timestamp
ALERT GID [00]:      1
ALERT SID [00]:      2210044
ALERT REV [00]:      2
ALERT CLASS [00]:    Generic Protocol Command Decode
ALERT PRIO [00]:     3
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]:    N/A
PAYLOAD LEN:         56
PAYLOAD:
 0000  32 32 31 20 73 6D 61 2D  69 6E 63 2E 75 73 20 43   221 sma- inc.us C
 0010  6F 6D 6D 75 6E 69 47 61  74 65 20 50 72 6F 20 53   ommuniGa te Pro S
 0020  4D 54 50 20 63 6C 6F 73  69 6E 67 20 63 6F 6E 6E   MTP clos ing conn
 0030  65 63 74 69 6F 6E 0D 0A                            ection..

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190121/ae0cdaf9/attachment.sig>